gss_accept_sec_contextand channel binding in ftp
Markus Moeller
huaraz at btinternet.com
Mon Jun 7 19:33:48 EDT 2004
What is the value of channel bindings if either side(client and/or server)
can ignore it by setting it to GSS_C_NO_CHANNEL_BINDINGS ?
It seems to me a useless functionality or do you have an example where it
can be used ?
Thanks
Markus
"Sam Hartman" <hartmans at MIT.EDU> wrote in message
news:tslr7sroxz7.fsf at konishi-polis.mit.edu...
> >>>>> "Markus" == Markus Moeller <huaraz at btinternet.com> writes:
>
> Markus> I noticed that from MIT version 1.2.4 to 1.3.1 the
> Markus> gss_accept_sec_context call has changed in ftpd.c. It is
> Markus> now set to use always GSS_C_NO_CHANNEL_BINDINGS. I also
> Markus> noticed that changing the channel bindings in
> Markus> gss_init_sec_context on the client doesn't create an error
> Markus> I would expect.
>
> MIT assumes that null channel bindings on the server means that any
> channel bindings are acceptable to that server, including null.
> draft-ietf-krb-wg-gssapi-cfx-xx.txt allows this and has been approved for
publication by the IESG.
>
>
> Markus> I also see a different behaviour in my proftpd mod_gss
> Markus> module. If the client uses gss_init_sec_context with
> Markus> GSS_C_NO_CHANNEL_BINDINGS, the channel bindings settings
> Markus> in gss_accept_sec_context on the server are ignored (e.g
> Markus> if the server uses channel bindings with application data
> Markus> set and the client used GSS_C_NO_CHANNEL_BINDINGS the
> Markus> client can login)
>
>
> It seems to be the way the code is written. I'm not sure it is to
> spec or a good idea.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list