Kerberos5 NAT and kftp

Donn Cave donn at u.washington.edu
Mon Nov 25 12:31:11 EST 2002 

Quoth jaltman at watsun.cc.columbia.edu (Jeffrey Altman):
| You need to use an FTP client that allows you to disable the use 
| of channel bindings.  See C-Kermit
|
|   http://www.kermit-project.org/ckermit.html
|
| It will do what you need when the command
|
|   SET AUTH K5 NO-ADDR ON

You also need a patched ftpd, right?  Or does the GSS ftpd from
the current MIT release now support clients from behind a NAT?

	Donn Cave, donn at u.washington.edu
----------------------------------------
| In article <5.1.0.14.2.20021122112239.0378a4c0 at po2.bbn.com>,
| Protima Chhabra <pchhabra at bbn.com> wrote:
| : Hi,
| : 
| : I have a Kerberos client sitting behind a firewall doing NAT. I have 
| : patched my client and added the proxy gateway to my configuration file, as 
| : explained in the document below
| : 	 http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/firewall.html#proxy
| : 
| : I can get a ticket, get ktelnet to work with an error message, but kftp 
| : does not work, as shown below. Can someone tell me what is it that I am 
| : doing wrong.
| : 
| : Thanks
| : Protima
| : 
| : ------------------------------------------------------------------------------------------------------------------------------------------
| : kclient101% klist
| : Ticket cache: /tmp/krb5cc_11617
| : Default principal: user at SUB.KRB.COM
| : 
| : Valid starting     Expires            Service principal
| : 11/14/02 19:06:17  11/15/02 05:06:15  krbtgt/SUB.KRB.COM at SUB.KRB.COM
| : 
| : 
| : kclient102% ktelnet opal0-gx.main.KRB.COM
| : Trying 255.255.255.255... Connected to opal0-gx.main.KRB.COM
| : (255.255.255.255). Escape character is '^]'. [ Kerberos V5 accepts you as
| : ``user at SUB.KRB.COM'' ] [ Kerberos V5 refuses forwarded credentials because
| : Read forwarded creds failed: Incorrect net address ] Last login: Thu Nov 14
| : 17:58:26 from 68.156.252.64.snet.net
| : opal0> exit
| : opal0> logout
| : Connection closed by foreign host.
| : 
| : kclient103% kftp opal0-gx.main.KRB.COM
| : Connected to opal0-gx.main.KRB.COM.
| : 220 opal0 FTP server (Version 5.60) ready.
| : 334 Using authentication type GSSAPI; ADAT must follow
| : GSSAPI accepted as authentication type
| : GSSAPI error major: Incorrect channel bindings were supplied
| : GSSAPI error minor: No error
| : GSSAPI error: accepting context
| : GSSAPI ADAT failed
| : GSSAPI authentication failed
| : Name (opal0.main.KRB.COM:user):
| : 530 User user access denied: authentication required.
| : Login failed.
| : Remote system type is UNKNOWN.
| : ftp> bye
| : 221 Goodbye.

More information about the Kerberos mailing list