GSSAPI security for connection encryption

Thu Aug 19 18:20:23 EDT 2004

The MIT ftp client uses only the REPLAY flag, which I think should be
changed to the SEQUENCE FLAG to provide the correct protection for the data
channel.

  gss_init_sec_context(&min_stat,
         GSS_C_NO_CREDENTIAL,
         &gcontext,
         target_name,
         (gss_OID_desc *)gss_trials[trial].mech_type,
         GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
           (forward ? GSS_C_DELEG_FLAG :
     (unsigned) 0),
         0,
         &chan, /* channel bindings */
         token_ptr,
         NULL, /* ignore mech type */
         &send_tok,
         NULL, /* ignore ret_flags */
         NULL); /* ignore time_rec */

Will I get problems with the SEQUENCE FLAG if  I want to send a NOOP on the
command channel during a transfer happens on the data channel (.e.g. to keep
to command channel open through firewalls ) as the client and server have to
process the data in sync which is not necessarily given ?

Thanks
Markus

"Sam Hartman" <hartmans at MIT.EDU> wrote in message
news:tslzn4qssps.fsf at cz.mit.edu...
> >>>>> "Markus" == Markus Moeller <huaraz at moeller.plus.com> writes:
>
>     Markus> will Sequence protection (GSS_C_SEQUENCE_FLAG)cover replay
>     Markus> protection (GSS_C_REPLAY_FLAG) as well or are there cases
>     Markus> were I need both ?
>
> I'd recommend using both, but I believe sequence is typically a
> superset.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>