[14673] in Kerberos
Re: using Kerberos V5 with network address translation firewall?
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Fri Jul 13 17:24:54 2001
From: jaltman@watsun.cc.columbia.edu (Jeffrey Altman)
Date: 13 Jul 2001 21:09:03 GMT
Message-ID: <9ino1f$ldu$1@newsmaster.cc.columbia.edu>
To: kerberos@MIT.EDU
In article <9ini6j$h1k$1@nntp6.u.washington.edu>,
Donn Cave <donn@u.washington.edu> wrote:
: | FTP GSSAPI-KRB5 does not require Channel Bindings. Any server
: | that requires Channel Bindings is out of spec. Versions of MIT
: | Kerberos FTPd had this bug. The current release does not.
:
: Thanks, I checked it out and it works!
:
: Of course, now either the client or the server has to back off on the
: channel bindings. For my test, I still had to modify ftpd to specify
: GSS_C_NO_CHANNEL_BINDINGS, but with the snapshot that's all I had to
: do, no need to modify the gssapi support library.
:
: In theory the client could have done that instead, but then it wouldn't
: work with any currently released ftp, from 1.2 or earlier, so the only
: way I could see that working would be as a client configuration option
: in case you know you're behind a NAT where the channel bindings would
: fail anyway.
:
: Donn Cave, donn@u.washington.edu
The 1.2.2 FTPD should not be requiring channel bindings. If the
channel bindings are provided by the client they are used. If the
bindings provided by the client are 0.0.0.0.0.0 then the GSSAPI
library will ignore them when authenticating the client. There
should be no need to use GSS_C_NO_CHANNEL_BINDINGS, because now
you are saying that the client must not send bindings either.
Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support@kermit-project.org OpenSSL. SSH soon to follow.
