[14656] in Kerberos
Re: using Kerberos V5 with network address translation firewall?
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Thu Jul 12 05:37:39 2001
From: jaltman@watsun.cc.columbia.edu (Jeffrey Altman)
Date: 12 Jul 2001 09:25:09 GMT
Message-ID: <9ijqdl$6ee$1@newsmaster.cc.columbia.edu>
To: kerberos@MIT.EDU
In article <3AA0A47DC449D5119392000255F000F021A8F1@hqmail1.platform.com>,
Jianlin Chang <chang@platform.com> wrote:
: Searching through the Kerberos mailing list archive, especially the thread
: on subject 'Patch for making Kerberos work through Firewalls and NATs', it
: seems to indicate that there are still a number of problems, e.g, ticket
: forwarding. Can these problems be easily resolved? I don't seem to see a
: solution from the those emails. Thanks.
The problem with forwarding of tickets is that when tickets are
forwarded they are sent to the host after calling
krb5_auth_con_genaddrs() with KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR
Now this wraps the forwarded credentials in an auth context which
is bound to the local address/port and remote address/port. There is
no method that allows you to perform this binding and say
hey wait a minute, whenever you see the local address 192.168.1.10
replace it with the address of the NAT (whatever that happens to be)
This is done to protect the credentials. The host won't accept a
credential that is permitted for use on address A if it comes from
address B. The one exception to this rule is if you decide not to
embed ip addresses in the credentials at all. In that case, the
auth context is not bound to the endpoints of the socket pair.
If you can describe a good way to write the rule that says, replace
address FOO with address NAT we can certainly make the change in the code.
The problem in most cases is that there is no good way to know what
the NAT address is in the first place.
For C-Kermit / Kermit 95, when the NAT is a Linksys DSL / Cable Router
I have written the following script. But it doesn't help with forwarding.
# get-linksys-addr.ksc
# This script can be used with a Linksys Ethernet Cable/DSL Router
# to retrieve the IP address for use with Kerberos 5 authentication
# when Network Address Translation (NAT) is enabled.
#
# by Frank da Cruz and Jeffrey Altman
#
# Version 1.0
if < \v(version) 800200 {
end 99 This script requires C-Kermit or Kermit 95 version 800200 or higher
}
# define some default
local firewall fwuser fwpwd tempfile \%x addr
define firewall 192.168.1.1 ; default value
define fwuser ; default value
define fwpwd admin ; default value
define tempfile \v(tempdir)linksys.htm
# Perform HTTP GET and place the Status HTML page into the tempfile
http open \m(firewall)
if failure end 1 Unable to connect to firewall
http /user:\m(fwuser) /password:\m(fwpwd) get /Status.htm \m(tempfile)
if failure end 2 Unable to access Status.htm: \v(http_code): \v(http_message)
http close
# Read the contents of the tempfile into the data variable
file open /binary /read \%x \m(tempfile)
if failure end 3 FOPEN \m(tempfile): \f_errmsg()
file read /size:\fsize(\m(tempfile)) \%x data
file close \%x
# Delete the tempfile
delete \m(tempfile)
# The IP Address of the Router is located in the HTML file
# within a block defined by tags: <!--WAN head--> and <!--WAN tail-->
# We extract the substr defined by the block
.\%x := \findex(<!--WAN head-->,\m(data))
if not \%x end 4 Header <!--WAN head--> not found
.\%y := \findex(<!--WAN tail-->,\m(data),\%x)
if not \%y end 5 Header <!--WAN tail--> not found
.data := \fsubstr(\m(data),\%x,\%y-\%x+15)
# The IP Address is located after the string "IP Address:".
# Find its location in the WAN block
.\%x := \findex(IP Address:,\m(data))
if not \%x end 6 IP Address tag not found
# Extract the IP Address
.addr := \fipaddress(\m(data),\%x)
if failure end 7 No ip address found
# Set the IP address of the Router to be used in Kerberos 5 tickets
set auth k5 addresses \m(addr)
# Done
end 0 Kerberos 5 address list set to: \m(addr)
Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support@kermit-project.org OpenSSL. SSH soon to follow.
