[14659] in Kerberos
Re: using Kerberos V5 with network address translation firewall?
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Thu Jul 12 10:37:18 2001
From: jaltman@watsun.cc.columbia.edu (Jeffrey Altman)
Date: 12 Jul 2001 14:26:02 GMT
Message-ID: <9ikc1q$i62$1@newsmaster.cc.columbia.edu>
To: kerberos@MIT.EDU
In article <ylvgkyfno3.fsf@windlord.stanford.edu>,
Russ Allbery <rra@stanford.edu> wrote:
: Jeffrey Altman <jaltman@watsun.cc.columbia.edu> writes:
:
: > If you can describe a good way to write the rule that says, replace
: > address FOO with address NAT we can certainly make the change in the
: > code. The problem in most cases is that there is no good way to know
: > what the NAT address is in the first place.
:
: I think there used to be patches for this around somewhere for something
: of the 1.0.x vintage, because I forward-ported them to 1.2 until I started
: just using addressless tickets. That patch took the approach of requiring
: one to configure the NAT IP address in krb5.conf, which would work in some
: situations.
The patch worked by adding the additional addresses into the TGT.
This allows service tickets acquired with the modified TGT to be
used for authentication. However, it does not work with forwarding
of tickets because it is not possible for the address binding that
is used to protect the forwarding of tickets to have more than one
address value. There is no mechanism to say that the current local
IP address/port should be replaced by the IP address/port used by
the NAT/Firewall when it makes its outgoing connection to the
eventual host. There just is no mechansism available for the
client app to probe the NAT/Firewall to find out what the value is.
SOCKS 4 has exactly the same problem. SOCKS 5 fixed it by having
the SOCKS gateway report the outgoing IP address/port info to the
SOCKS client. That way when the application inquires for the
local ip address/port used by the socket what is returned is not
the info for the local machine, but instead the info for the
socket created by the SOCKS gateway.
Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support@kermit-project.org OpenSSL. SSH soon to follow.
