Kerberos ftp questions
ryanc
ryanc at cac.washington.edu
Tue Jan 7 19:07:19 EST 2003
James,
Hopefully the source I sent will help, but I thought I should reply to this
post to answer your specific questions and to announce the source to anyone
else interested.
In answer to your question about the credentials cache, the Kerberos proxy
calls krb5_cc_default_name() to find the default ticket cache. In current
versions of MIT Kerberos for Windows, this will be an in-memory cache:
API:krb5cc
You can change this behavior in the source, or change the default location.
The default can be changed by setting the environment variable KRB5CCNAME or
in the registry at:
HKEY_CURRENT_USER\Software\MIT\Kerberos5
ccname = FILE:C:\example.ext
and/or
HKEY_LOCAL_MACHINE\Software\MIT\Kerberos5
ccname = FILE:C:\example.ext
Note, however, that file-based credentials caches are less secure than
in-memory. It would be better if you could get your AFS app. to use the
in-memory cache.
I've just made the source code for the UW's kftpd proxy publicly available.
This has a fairly standard open source license. You can read the license,
release notes, and pick up the source at:
http://www.washington.edu/computing/support/windows/sources/kftpd.html
Pre-compiled binaries are also included, but not Kerberos for Windows.
You'll need to get this separately. If you have a working GSS compatible
Kerberos v5 system already set up and your target kftpd servers are in your
client's default realm, you can probably just start the included daemon as
follows:
kftppd.exe 127.0.0.1 2021
And it should start taking ftp proxy requests on port 2021.
Ryan Campbell
Software Engineer/Consultant
Computing & Communications
ryanc at cac.washington.edu
More information about the Kerberos
mailing list