gss_accept_sec_contextand channel binding in ftp
hartmans at MIT.EDU
Tue Jun 8 13:47:39 EDT 2004
>>>>> "Markus" == Markus Moeller <huaraz at btinternet.com> writes:
Markus> What is the value of channel bindings if either
Markus> side(client and/or server) can ignore it by setting it to
Markus> GSS_C_NO_CHANNEL_BINDINGS ? It seems to me a useless
Markus> functionality or do you have an example where it can be
Markus> used ?
Markus> Thanks Markus
Markus> "Sam Hartman" <hartmans at MIT.EDU> wrote in message
Markus> news:tslr7sroxz7.fsf at konishi-polis.mit.edu...
>> >>>>> "Markus" == Markus Moeller <huaraz at btinternet.com>
Markus> I noticed that from MIT version 1.2.4 to 1.3.1 the
Markus> gss_accept_sec_context call has changed in ftpd.c. It is
Markus> now set to use always GSS_C_NO_CHANNEL_BINDINGS. I also
Markus> noticed that changing the channel bindings in
Markus> gss_init_sec_context on the client doesn't create an error
Markus> I would expect.
>> MIT assumes that null channel bindings on the server means
>> that any channel bindings are acceptable to that server,
>> including null. draft-ietf-krb-wg-gssapi-cfx-xx.txt allows
>> this and has been approved for
Markus> publication by the IESG.
Markus> I also see a different behaviour in my proftpd mod_gss
Markus> module. If the client uses gss_init_sec_context with
Markus> GSS_C_NO_CHANNEL_BINDINGS, the channel bindings settings
Markus> in gss_accept_sec_context on the server are ignored (e.g
Markus> if the server uses channel bindings with application data
Markus> set and the client used GSS_C_NO_CHANNEL_BINDINGS the
Markus> client can login)
>> It seems to be the way the code is written. I'm not sure it is
>> to spec or a good idea.
>> ________________________________________________ Kerberos
>> mailing list Kerberos at mit.edu
Markus> ________________________________________________ Kerberos
Markus> mailing list Kerberos at mit.edu
P It's authenticated. So if both sides use it then it will be
verified and required to be correct.
As I consider the current behavior more I don't like the MIT server's
tendency to discard client channel bindings though. I believe a
server should be able to require channel bindings.
More information about the Kerberos