[14517] in Kerberos
Re: Patch for making Kerberos work through Firewalls and NATs
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed May 30 16:45:20 2001
Message-ID: <3B155B9C.C77EF1C4@anl.gov>
Date: Wed, 30 May 2001 15:44:12 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: John Brezak <jbrezak@windows.microsoft.com>,
Wyllys Ingersoll <Wyllys.Ingersoll@Eng.Sun.COM>, kerberos@MIT.EDU
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
John Brezak wrote:
>
> There still is a problem with addresses in the kerb-priv and kerb-safe
> messages used by password change (at least). And as was also pointed out
> the GSSAPI channel bindings used by ftp. Neither of these are lists.
>
> How does a client find out what NAT server is being used to handle it's
> request? What about a multi-homed client?
Normally the client could use the TCP getsockname and getpeername to get the
addresses of the TCP connection. So multihomed should not be a problem.
This is where I would say NAT actually violates the TCP protocol.
Since the getsockname on one end of the connection should return the same
value as the getpeername on the other. (These are really socket routines
and not directly TCP routines.)
The client has no standard way that I know of to get the NAT addr that the
peer is seeing. So the mod I am using has it is an KRB5NATADDR variable,
where as the other mod posted on the list puts it in the krb5.conf. The user
has to figure this out with the NAT box. And has to figure out if the server
is within the local network, or outside. i.e. will a NAT take place.
(I bring up the WEB interface to the NAT box, and copy the DHCP address
it obtained.)
Is there wide spread use of NAT other then for home firewalls where
there is normally only one NAT box protecting a private network?
If there is and the there could be multiple NAT boxes connecting
a network(s) to the outside, it is extremely difficult to determine
which NAT address might be used.
As you point out the safe and priv also use these addresses, and in 1510 the
sender address is required, but the receiver address is optional. It
also looks like in the MIT 1.2.2 code, the sender address will be checked.
i.e. the receiver must pass in a sender address to rd_safe.
(Correct me if I am wrong.) This could be change by an implementation
to ignore the address compare.
So NAT is looking worse then expected.
>
> > -----Original Message-----
> > From: Wyllys Ingersoll [mailto:Wyllys.Ingersoll@eng.sun.com]
> > Sent: Wednesday, May 30, 2001 11:43 AM
> > To: deengert@anl.gov
> > Cc: kerberos@MIT.EDU
> > Subject: Re: Patch for making Kerberos work through Firewalls and NATs
> >
> >
> >
> > >
> > >
> > >Wyllys Ingersoll wrote:
> > >>
> > >> Is there a fix/workaround or possible way to make
> > forwarding tickets
> > >> through a NAT work?
> > >
> > >
> > >Yes. I do it from home all the time, using rlogin or SSH
> > with Gssapi/K5
> > >authentication, then use this forwarded TGT to get AFS tokens etc.
> > >
> > >The trick is to add the NAT address to list, but not just in kinit.
> > >The address must be use din the service ticket requested by
> > >the application. The patch posted earlier to localaddr.c
> > looks similiar
> > >to what I have, and should work, as this is then called internally.
> >
> >
> > Ahh, great. Thanks for the tip. I was trying to shortcut and avoid
> > patching the library but I'll do it and see how it goes.
> >
> > thanks,
> > wyllys
> >
> > >
> > >>
> > >> I have a hacked up 'kinit' client that puts the NAT addr in the
> > >> AS_REQ (along with the hidden, local address) and I can get a TGT
> > >> from the KDC on the other side. But I cant seem to use that ticket
> > >> to authenticate to a telnet server on the opposite side -
> > the server
> > >> rejects my authentication saying
> > >> "Read forwarded creds failed: Incorrect net address"
> > >
> > >The trick is to add the NAT address to list, but not just in kinit.
> > >The address must be use when in the service ticket requested by
> > >the application. The patch posted earlier to localaddr.c
> > looks similiar
> > >to what I have, and should work, as this is then called internally.
> > >
> > >>
> > >> -wyllys
> > >>
> > >> >To: "Michael Bischof" <mb@byteworks.ch>
> > >> >cc: kerberos@MIT.EDU
> > >> >Subject: Re: Patch for making Kerberos work through
> > Firewalls and NATs
> > >> >X-Face:
> > "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
> > >>
> > WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN
> > 9\+s;_d gD\SW
> > >> #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
> > >> >Date: Wed, 30 May 2001 09:50:39 -0400
> > >> >From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
> > >> >
> > >> >>> (Doesn't solve all of your problems, though).
> > >> >>
> > >> >>Which problems?
> > >> >
> > >> >Forwarding tickets through a NAT still doesn't work,
> > IIRC. And ftp is
> > >> >a complete loss.
> > >> >
> > >> >--Ken
> > >
> > >--
> > >
> > > Douglas E. Engert <DEEngert@anl.gov>
> > > Argonne National Laboratory
> > > 9700 South Cass Avenue
> > > Argonne, Illinois 60439
> > > (630) 252-5444
> >
> >
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
