GSSAPI security for connection encryption

Jeffrey Altman jaltman2 at nyc.rr.com
Thu Aug 19 18:56:10 EDT 2004 

FTP AUTH GSS cannot be implemented with SEQUENCE protection if
the client plans on sending data on the command channel while
there is an active data channel using the GSS context.  This is
a serious problem for GUI FTP implementations which issue
STAT commands for status updates; or for other implementation
wishing to protect against NAT/firewall timeouts.

I have a proposal to fix this but the changes are incompatible
with the current implementation.  Hopefully I will find the
time to work on submitting it to the IETF.

Jeffrey Altman



Markus Moeller wrote:

> The MIT ftp client uses only the REPLAY flag, which I think should be
> changed to the SEQUENCE FLAG to provide the correct protection for the data
> channel.
> 
>   gss_init_sec_context(&min_stat,
>          GSS_C_NO_CREDENTIAL,
>          &gcontext,
>          target_name,
>          (gss_OID_desc *)gss_trials[trial].mech_type,
>          GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
>            (forward ? GSS_C_DELEG_FLAG :
>      (unsigned) 0),
>          0,
>          &chan, /* channel bindings */
>          token_ptr,
>          NULL, /* ignore mech type */
>          &send_tok,
>          NULL, /* ignore ret_flags */
>          NULL); /* ignore time_rec */
> 
> 
> Will I get problems with the SEQUENCE FLAG if  I want to send a NOOP on the
> command channel during a transfer happens on the data channel (.e.g. to keep
> to command channel open through firewalls ) as the client and server have to
> process the data in sync which is not necessarily given ?
> 
> Thanks
> Markus
> 
> "Sam Hartman" <hartmans at MIT.EDU> wrote in message
> news:tslzn4qssps.fsf at cz.mit.edu...
> 
>>>>>>>"Markus" == Markus Moeller <huaraz at moeller.plus.com> writes:
>>
>>    Markus> will Sequence protection (GSS_C_SEQUENCE_FLAG)cover replay
>>    Markus> protection (GSS_C_REPLAY_FLAG) as well or are there cases
>>    Markus> were I need both ?
>>
>>I'd recommend using both, but I believe sequence is typically a
>>superset.
>>
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list