gss_accept_sec_contextand channel binding in ftp

Markus Moeller huaraz at
Fri Jun 4 10:09:59 EDT 2004

I noticed that from MIT version 1.2.4 to 1.3.1 the gss_accept_sec_context call 
has changed in ftpd.c. It is now set to use always GSS_C_NO_CHANNEL_BINDINGS. 
I also noticed that changing the channel bindings in gss_init_sec_context on 
the client doesn't create an error I would expect. 

I also see a different behaviour in my proftpd mod_gss module. If the client 
uses gss_init_sec_context with GSS_C_NO_CHANNEL_BINDINGS, the channel bindings 
settings in gss_accept_sec_context on the server are ignored (e.g if the 
server uses channel bindings with application data set and the client used 
GSS_C_NO_CHANNEL_BINDINGS the client can login)

Is this intention ??


More information about the Kerberos mailing list