[14674] in Kerberos
Re: using Kerberos V5 with network address translation firewall?
daemon@ATHENA.MIT.EDU (Donn Cave)
Fri Jul 13 18:22:38 2001
From: Donn Cave <donn@u.washington.edu>
Date: 13 Jul 2001 22:03:50 GMT
Message-ID: <9inr86$pe2$1@nntp6.u.washington.edu>
To: kerberos@MIT.EDU
Quoth jaltman@watsun.cc.columbia.edu (Jeffrey Altman):
| In article <9ini6j$h1k$1@nntp6.u.washington.edu>,
| Donn Cave <donn@u.washington.edu> wrote:
(quoting jaltman)
|: | FTP GSSAPI-KRB5 does not require Channel Bindings. Any server
|: | that requires Channel Bindings is out of spec. Versions of MIT
|: | Kerberos FTPd had this bug. The current release does not.
|:
|: Thanks, I checked it out and it works!
|:
|: Of course, now either the client or the server has to back off on the
|: channel bindings. For my test, I still had to modify ftpd to specify
|: GSS_C_NO_CHANNEL_BINDINGS, but with the snapshot that's all I had to
|: do, no need to modify the gssapi support library.
|:
|: In theory the client could have done that instead, but then it wouldn't
|: work with any currently released ftp, from 1.2 or earlier, so the only
|: way I could see that working would be as a client configuration option
|: in case you know you're behind a NAT where the channel bindings would
|: fail anyway.
| The 1.2.2 FTPD should not be requiring channel bindings. If the
| channel bindings are provided by the client they are used. If the
| bindings provided by the client are 0.0.0.0.0.0 then the GSSAPI
| library will ignore them when authenticating the client. There
| should be no need to use GSS_C_NO_CHANNEL_BINDINGS, because now
| you are saying that the client must not send bindings either.
The MIT 1.2.2 ftpd does require channel bindings. I tried it with
the MIT client, and no channel bindings = bad channel bindings.
The way I see it, this comes down to krb5_gss_accept_sec_context()
in lib/gssapi/krb5/accept_sec_context.c, where in the recent snapshot
I find this comment:
If the server has specified input_chan_bindings equal to
GSS_C_NO_CHANNEL_BINDINGS then we skip the check. If
the server does provide channel bindings then we compute
a checksum and compare against those provided by the
client. If the check fails we test the clients checksum
to see whether the client specified GSS_C_NO_CHANNEL_BINDINGS.
If either test succeeds we continue without error.
and briefly the following code does
if not GSS_C_NO_CHANNEL_BINDINGS:
if channel bindings mismatch:
make GSS_C_NO_CHANNEL_BINDINGS checksum
now if channel bindings mismatch:
fail
The same function in 1.2.2 is different here, it just checks for
mismatch, so if one side uses GSS_C_NO_CHANNEL_BINDINGS, then the
other side must too.
The way this function works in recent krb5-current, the server
can specify GSS_C_NO_CHANNEL_BINDINGS and it will work for everyone.
Or the client can, but of course only if it's talking to this server.
Donn Cave, donn@u.washington.edu
