Kerberos ftp questions

ryanc ryanc at cac.washington.edu
Tue Jan 7 19:07:19 EST 2003


James,

Hopefully the source I sent will help, but I thought I should reply to this
post to answer your specific questions and to announce the source to anyone
else interested.

In answer to your question about the credentials cache, the Kerberos proxy
calls krb5_cc_default_name() to find the default ticket cache.  In current
versions of MIT Kerberos for Windows, this will be an in-memory cache:
API:krb5cc

You can change this behavior in the source, or change the default location.
The default can be changed by setting the environment variable KRB5CCNAME or
in the registry at:

HKEY_CURRENT_USER\Software\MIT\Kerberos5
ccname = FILE:C:\example.ext

and/or

HKEY_LOCAL_MACHINE\Software\MIT\Kerberos5
ccname = FILE:C:\example.ext

Note, however, that file-based credentials caches are less secure than
in-memory.  It would be better if you could get your AFS app. to use the
in-memory cache.

I've just made the source code for the UW's kftpd proxy publicly available.
This has a fairly standard open source license.  You can read the license,
release notes, and pick up the source at:

http://www.washington.edu/computing/support/windows/sources/kftpd.html

Pre-compiled binaries are also included, but not Kerberos for Windows.
You'll need to get this separately.  If you have a working GSS compatible
Kerberos v5 system already set up and your target kftpd servers are in your
client's default realm, you can probably just start the included daemon as
follows:

kftppd.exe 127.0.0.1 2021

And it should start taking ftp proxy requests on port 2021.

        Ryan Campbell
        Software Engineer/Consultant
        Computing & Communications
        ryanc at cac.washington.edu





More information about the Kerberos mailing list