gssapi and CCC command

Glen Matthews glen at montreal.hcl.com
Thu Apr 11 17:13:34 EDT 2002


Hi,

  i'm writing an ftp client using the gssapi with kerberos, and am somewhat
puzzled by the CCC command behaviour.

  basically, when i enable clear channel commands using CCC, it is accepted
with a 200-level message. i can enter various commands (notably PBSZ, PROT -
these seem to work ok). however, when i try to enter something else (like a
pwd) i get a 500 level message requiring a login before commands. ok. that
sort of fits - without enabling CCC, i need to send a login (encrypted) and
i get back a message stating that i've been authenticated.

  when i try to issue a user command, i get this:

331 GSSAPI user "xxx at REALM" is not authorized as "xxx"; Password required

which is fine - "xxx at REALM" is the kerberos principal logging in, and xxx is
the userid on the target system. when the pass command is issued (with the
correct password even), i get 530 login incorrect.

any ideas? is this a config problem with the kerberized ftpd? or a problem
implementing the security protocol?

glen





More information about the Kerberos mailing list