[14672] in Kerberos
Re: using Kerberos V5 with network address translation firewall?
daemon@ATHENA.MIT.EDU (Donn Cave)
Fri Jul 13 15:51:47 2001
From: Donn Cave <donn@u.washington.edu>
Date: 13 Jul 2001 19:29:23 GMT
Message-ID: <9ini6j$h1k$1@nntp6.u.washington.edu>
To: kerberos@MIT.EDU
Quoth jaltman@watsun.cc.columbia.edu (Jeffrey Altman):
| In article <9ikkkt$qce$1@nntp6.u.washington.edu>,
| Donn Cave <donn@u.washington.edu> wrote:
....
|: I understand that has been working for most applications. The only
|: problem seems to be ftp (Fetch), where GSS channel bindings bring
|: the local address back to cause more trouble. Would someone mind
|: confirming that any GSS ftp client will necessarily have this problem,
|: and it isn't something the application could handle?
|
| FTP GSSAPI-KRB5 does not require Channel Bindings. Any server
| that requires Channel Bindings is out of spec. Versions of MIT
| Kerberos FTPd had this bug. The current release does not.
Thanks, I checked it out and it works!
Of course, now either the client or the server has to back off on the
channel bindings. For my test, I still had to modify ftpd to specify
GSS_C_NO_CHANNEL_BINDINGS, but with the snapshot that's all I had to
do, no need to modify the gssapi support library.
In theory the client could have done that instead, but then it wouldn't
work with any currently released ftp, from 1.2 or earlier, so the only
way I could see that working would be as a client configuration option
in case you know you're behind a NAT where the channel bindings would
fail anyway.
Donn Cave, donn@u.washington.edu
