Kerberos5 NAT and kftp

Jeffrey Altman jaltman at watsun.cc.columbia.edu
Sat Nov 23 19:48:34 EST 2002 

You need to use an FTP client that allows you to disable the use 
of channel bindings.  See C-Kermit

  http://www.kermit-project.org/ckermit.html

It will do what you need when the command

  SET AUTH K5 NO-ADDR ON



In article <5.1.0.14.2.20021122112239.0378a4c0 at po2.bbn.com>,
Protima Chhabra <pchhabra at bbn.com> wrote:
: Hi,
: 
: I have a Kerberos client sitting behind a firewall doing NAT. I have 
: patched my client and added the proxy gateway to my configuration file, as 
: explained in the document below
: 	 http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/firewall.html#proxy
: 
: I can get a ticket, get ktelnet to work with an error message, but kftp 
: does not work, as shown below. Can someone tell me what is it that I am 
: doing wrong.
: 
: Thanks
: Protima
: 
: ------------------------------------------------------------------------------------------------------------------------------------------
: kclient101% klist
: Ticket cache: /tmp/krb5cc_11617
: Default principal: user at SUB.KRB.COM
: 
: Valid starting     Expires            Service principal
: 11/14/02 19:06:17  11/15/02 05:06:15  krbtgt/SUB.KRB.COM at SUB.KRB.COM
: 
: 
: kclient102% ktelnet opal0-gx.main.KRB.COM
: Trying 255.255.255.255... Connected to opal0-gx.main.KRB.COM
: (255.255.255.255). Escape character is '^]'. [ Kerberos V5 accepts you as
: ``user at SUB.KRB.COM'' ] [ Kerberos V5 refuses forwarded credentials because
: Read forwarded creds failed: Incorrect net address ] Last login: Thu Nov 14
: 17:58:26 from 68.156.252.64.snet.net
: opal0> exit
: opal0> logout
: Connection closed by foreign host.
: 
: kclient103% kftp opal0-gx.main.KRB.COM
: Connected to opal0-gx.main.KRB.COM.
: 220 opal0 FTP server (Version 5.60) ready.
: 334 Using authentication type GSSAPI; ADAT must follow
: GSSAPI accepted as authentication type
: GSSAPI error major: Incorrect channel bindings were supplied
: GSSAPI error minor: No error
: GSSAPI error: accepting context
: GSSAPI ADAT failed
: GSSAPI authentication failed
: Name (opal0.main.KRB.COM:user):
: 530 User user access denied: authentication required.
: Login failed.
: Remote system type is UNKNOWN.
: ftp> bye
: 221 Goodbye.
: 
: ------------------------------------------------------------------------------------------------------------------------------------------
: 
: ________________________________________________
: Kerberos mailing list           Kerberos at mit.edu
: http://mailman.mit.edu/mailman/listinfo/kerberos
: 


 Jeffrey Altman * Volunteer Developer      Kermit 95 2.1 GUI available now!!!
 The Kermit Project @ Columbia University  SSH, Secure Telnet, Secure FTP, HTTP
 http://www.kermit-project.org/            Secured with MIT Kerberos, SRP, and 
 kermit-support at columbia.edu               OpenSSL.

More information about the Kerberos mailing list