gss_accept_sec_contextand channel binding in ftp
Donn Cave
donn at u.washington.edu
Fri Jun 4 18:27:52 EDT 2004
In article <loom.20040604T154031-39 at post.gmane.org>,
huaraz at btinternet.com (Markus Moeller) wrote:
> I noticed that from MIT version 1.2.4 to 1.3.1 the gss_accept_sec_context
> call
> has changed in ftpd.c. It is now set to use always GSS_C_NO_CHANNEL_BINDINGS.
> I also noticed that changing the channel bindings in gss_init_sec_context on
> the client doesn't create an error I would expect.
>
> I also see a different behaviour in my proftpd mod_gss module. If the client
> uses gss_init_sec_context with GSS_C_NO_CHANNEL_BINDINGS, the channel
> bindings
> settings in gss_accept_sec_context on the server are ignored (e.g if the
> server uses channel bindings with application data set and the client used
> GSS_C_NO_CHANNEL_BINDINGS the client can login)
>
> Is this intention ??
I can't speak for the MIT Kerberos developers, but I feel
fairly confident that it was not an accident. Moreover,
it is quite useful for GSS Fetch users behind NATs, for
example.
Donn Cave, donn at u.washington.edu
More information about the Kerberos
mailing list