[14664] in Kerberos
Re: using Kerberos V5 with network address translation firewall?
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Thu Jul 12 13:51:05 2001
From: jaltman@watsun.cc.columbia.edu (Jeffrey Altman)
Date: 12 Jul 2001 17:44:00 GMT
Message-ID: <9iknl0$qke$1@newsmaster.cc.columbia.edu>
To: kerberos@MIT.EDU
In article <9ikkkt$qce$1@nntp6.u.washington.edu>,
Donn Cave <donn@u.washington.edu> wrote:
: If you're going to configure Kerberos for a several thousand people
: whose ISPs are pushing NATs, and who have only a glimmer of a notion
: what that means and will be using a variety of implementations, and
: whose only recourse if it doesn't work is probably to have you come
: over to their house, addressless tickets is the only option, right?
:
: (i.e., "noaddresses = true" in "[lib-defaults]" in krb5.conf.)
:
: I understand that has been working for most applications. The only
: problem seems to be ftp (Fetch), where GSS channel bindings bring
: the local address back to cause more trouble. Would someone mind
: confirming that any GSS ftp client will necessarily have this problem,
: and it isn't something the application could handle?
FTP GSSAPI-KRB5 does not require Channel Bindings. Any server
that requires Channel Bindings is out of spec. Versions of MIT
Kerberos FTPd had this bug. The current release does not.
Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support@kermit-project.org OpenSSL. SSH soon to follow.
