gss_accept_sec_contextand channel binding in ftp

Sam Hartman hartmans at MIT.EDU
Mon Jun 7 17:32:44 EDT 2004

>>>>> "Markus" == Markus Moeller <huaraz at> writes:

    Markus> I noticed that from MIT version 1.2.4 to 1.3.1 the
    Markus> gss_accept_sec_context call has changed in ftpd.c. It is
    Markus> now set to use always GSS_C_NO_CHANNEL_BINDINGS.  I also
    Markus> noticed that changing the channel bindings in
    Markus> gss_init_sec_context on the client doesn't create an error
    Markus> I would expect.

MIT assumes that null channel bindings on the server means that any
channel bindings are acceptable to that server, including null.
draft-ietf-krb-wg-gssapi-cfx-xx.txt allows this and has been approved for publication by the IESG.

    Markus> I also see a different behaviour in my proftpd mod_gss
    Markus> module. If the client uses gss_init_sec_context with
    Markus> GSS_C_NO_CHANNEL_BINDINGS, the channel bindings settings
    Markus> in gss_accept_sec_context on the server are ignored (e.g
    Markus> if the server uses channel bindings with application data
    Markus> set and the client used GSS_C_NO_CHANNEL_BINDINGS the
    Markus> client can login)

It seems to be the way the code is written.  I'm not sure it is to
spec or a good idea.

More information about the Kerberos mailing list