gss_accept_sec_contextand channel binding in ftp

Markus Moeller huaraz at
Mon Jun 7 19:33:48 EDT 2004

What is the value of channel bindings if either side(client and/or server)
can ignore it by setting it to GSS_C_NO_CHANNEL_BINDINGS ?
It seems to me a useless functionality or do you have an example where it
can be used ?


"Sam Hartman" <hartmans at MIT.EDU> wrote in message
news:tslr7sroxz7.fsf at
> >>>>> "Markus" == Markus Moeller <huaraz at> writes:
>     Markus> I noticed that from MIT version 1.2.4 to 1.3.1 the
>     Markus> gss_accept_sec_context call has changed in ftpd.c. It is
>     Markus> now set to use always GSS_C_NO_CHANNEL_BINDINGS.  I also
>     Markus> noticed that changing the channel bindings in
>     Markus> gss_init_sec_context on the client doesn't create an error
>     Markus> I would expect.
> MIT assumes that null channel bindings on the server means that any
> channel bindings are acceptable to that server, including null.
> draft-ietf-krb-wg-gssapi-cfx-xx.txt allows this and has been approved for
publication by the IESG.
>     Markus> I also see a different behaviour in my proftpd mod_gss
>     Markus> module. If the client uses gss_init_sec_context with
>     Markus> GSS_C_NO_CHANNEL_BINDINGS, the channel bindings settings
>     Markus> in gss_accept_sec_context on the server are ignored (e.g
>     Markus> if the server uses channel bindings with application data
>     Markus> set and the client used GSS_C_NO_CHANNEL_BINDINGS the
>     Markus> client can login)
> It seems to be the way the code is written.  I'm not sure it is to
> spec or a good idea.
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list