gss_accept_sec_contextand channel binding in ftp

Markus Moeller huaraz at
Fri Jun 4 19:19:11 EDT 2004

It is useful, but is it correct ? I could understand that if the server uses
GSS_C_NO_CHANNEL_BINDINGS in gss_accept_sec_context it accepts a context
with or without bindings, but if the server requires channel binding the
client shouldn't be able to switch it off by using


"Donn Cave" <donn at> wrote in message
news:donn-8ADAF4.15275204062004 at
> In article <loom.20040604T154031-39 at>,
>  huaraz at (Markus Moeller) wrote:
> > I noticed that from MIT version 1.2.4 to 1.3.1 the
> > call
> > has changed in ftpd.c. It is now set to use always
> > I also noticed that changing the channel bindings in
gss_init_sec_context on
> > the client doesn't create an error I would expect.
> >
> > I also see a different behaviour in my proftpd mod_gss module. If the
> > uses gss_init_sec_context with GSS_C_NO_CHANNEL_BINDINGS, the channel
> > bindings
> > settings in gss_accept_sec_context on the server are ignored (e.g if the
> > server uses channel bindings with application data set and the client
> > GSS_C_NO_CHANNEL_BINDINGS the client can login)
> >
> > Is this intention ??
> I can't speak for the MIT Kerberos developers, but I feel
> fairly confident that it was not an accident.  Moreover,
> it is quite useful for GSS Fetch users behind NATs, for
> example.
>    Donn Cave, donn at
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list