gss_accept_sec_contextand channel binding in ftp
Sam Hartman
hartmans at MIT.EDU
Mon Jun 7 17:32:44 EDT 2004
>>>>> "Markus" == Markus Moeller <huaraz at btinternet.com> writes:
Markus> I noticed that from MIT version 1.2.4 to 1.3.1 the
Markus> gss_accept_sec_context call has changed in ftpd.c. It is
Markus> now set to use always GSS_C_NO_CHANNEL_BINDINGS. I also
Markus> noticed that changing the channel bindings in
Markus> gss_init_sec_context on the client doesn't create an error
Markus> I would expect.
MIT assumes that null channel bindings on the server means that any
channel bindings are acceptable to that server, including null.
draft-ietf-krb-wg-gssapi-cfx-xx.txt allows this and has been approved for publication by the IESG.
Markus> I also see a different behaviour in my proftpd mod_gss
Markus> module. If the client uses gss_init_sec_context with
Markus> GSS_C_NO_CHANNEL_BINDINGS, the channel bindings settings
Markus> in gss_accept_sec_context on the server are ignored (e.g
Markus> if the server uses channel bindings with application data
Markus> set and the client used GSS_C_NO_CHANNEL_BINDINGS the
Markus> client can login)
It seems to be the way the code is written. I'm not sure it is to
spec or a good idea.
More information about the Kerberos
mailing list