[14516] in Kerberos
RE: Patch for making Kerberos work through Firewalls and NATs
daemon@ATHENA.MIT.EDU (John Brezak)
Wed May 30 16:12:30 2001
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Wed, 30 May 2001 11:48:40 -0700
Message-ID: <4AEE3169443CDD4796CA8A00B02191CDD32DD0@win-msg-01.wingroup.windeploy.ntdev.microsoft.com>
From: "John Brezak" <jbrezak@windows.microsoft.com>
To: "Wyllys Ingersoll" <Wyllys.Ingersoll@eng.sun.com>, <deengert@anl.gov>
Cc: <kerberos@MIT.EDU>
Content-Transfer-Encoding: 8bit
There still is a problem with addresses in the kerb-priv and kerb-safe
messages used by password change (at least). And as was also pointed out
the GSSAPI channel bindings used by ftp. Neither of these are lists.
How does a client find out what NAT server is being used to handle it's
request? What about a multi-homed client?
> -----Original Message-----
> From: Wyllys Ingersoll [mailto:Wyllys.Ingersoll@eng.sun.com]
> Sent: Wednesday, May 30, 2001 11:43 AM
> To: deengert@anl.gov
> Cc: kerberos@MIT.EDU
> Subject: Re: Patch for making Kerberos work through Firewalls and NATs
>
>
>
> >
> >
> >Wyllys Ingersoll wrote:
> >>
> >> Is there a fix/workaround or possible way to make
> forwarding tickets
> >> through a NAT work?
> >
> >
> >Yes. I do it from home all the time, using rlogin or SSH
> with Gssapi/K5
> >authentication, then use this forwarded TGT to get AFS tokens etc.
> >
> >The trick is to add the NAT address to list, but not just in kinit.
> >The address must be use din the service ticket requested by
> >the application. The patch posted earlier to localaddr.c
> looks similiar
> >to what I have, and should work, as this is then called internally.
>
>
> Ahh, great. Thanks for the tip. I was trying to shortcut and avoid
> patching the library but I'll do it and see how it goes.
>
> thanks,
> wyllys
>
> >
> >>
> >> I have a hacked up 'kinit' client that puts the NAT addr in the
> >> AS_REQ (along with the hidden, local address) and I can get a TGT
> >> from the KDC on the other side. But I cant seem to use that ticket
> >> to authenticate to a telnet server on the opposite side -
> the server
> >> rejects my authentication saying
> >> "Read forwarded creds failed: Incorrect net address"
> >
> >The trick is to add the NAT address to list, but not just in kinit.
> >The address must be use when in the service ticket requested by
> >the application. The patch posted earlier to localaddr.c
> looks similiar
> >to what I have, and should work, as this is then called internally.
> >
> >>
> >> -wyllys
> >>
> >> >To: "Michael Bischof" <mb@byteworks.ch>
> >> >cc: kerberos@MIT.EDU
> >> >Subject: Re: Patch for making Kerberos work through
> Firewalls and NATs
> >> >X-Face:
> "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
> >>
> WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN
> 9\+s;_d gD\SW
> >> #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
> >> >Date: Wed, 30 May 2001 09:50:39 -0400
> >> >From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
> >> >
> >> >>> (Doesn't solve all of your problems, though).
> >> >>
> >> >>Which problems?
> >> >
> >> >Forwarding tickets through a NAT still doesn't work,
> IIRC. And ftp is
> >> >a complete loss.
> >> >
> >> >--Ken
> >
> >--
> >
> > Douglas E. Engert <DEEngert@anl.gov>
> > Argonne National Laboratory
> > 9700 South Cass Avenue
> > Argonne, Illinois 60439
> > (630) 252-5444
>
>
