gss_accept_sec_contextand channel binding in ftp

Sam Hartman hartmans at MIT.EDU
Tue Jun 8 13:47:39 EDT 2004

>>>>> "Markus" == Markus Moeller <huaraz at> writes:

    Markus> What is the value of channel bindings if either
    Markus> side(client and/or server) can ignore it by setting it to
    Markus> GSS_C_NO_CHANNEL_BINDINGS ?  It seems to me a useless
    Markus> functionality or do you have an example where it can be
    Markus> used ?

    Markus> Thanks Markus

    Markus> "Sam Hartman" <hartmans at MIT.EDU> wrote in message
    Markus> news:tslr7sroxz7.fsf at
    >> >>>>> "Markus" == Markus Moeller <huaraz at>
    >> writes:
    Markus> I noticed that from MIT version 1.2.4 to 1.3.1 the
    Markus> gss_accept_sec_context call has changed in ftpd.c. It is
    Markus> now set to use always GSS_C_NO_CHANNEL_BINDINGS.  I also
    Markus> noticed that changing the channel bindings in
    Markus> gss_init_sec_context on the client doesn't create an error
    Markus> I would expect.
    >>  MIT assumes that null channel bindings on the server means
    >> that any channel bindings are acceptable to that server,
    >> including null.  draft-ietf-krb-wg-gssapi-cfx-xx.txt allows
    >> this and has been approved for
    Markus> publication by the IESG.
    Markus> I also see a different behaviour in my proftpd mod_gss
    Markus> module. If the client uses gss_init_sec_context with
    Markus> GSS_C_NO_CHANNEL_BINDINGS, the channel bindings settings
    Markus> in gss_accept_sec_context on the server are ignored (e.g
    Markus> if the server uses channel bindings with application data
    Markus> set and the client used GSS_C_NO_CHANNEL_BINDINGS the
    Markus> client can login)
    >> It seems to be the way the code is written.  I'm not sure it is
    >> to spec or a good idea.
    >> ________________________________________________ Kerberos
    >> mailing list Kerberos at

    Markus> ________________________________________________ Kerberos
    Markus> mailing list Kerberos at

P It's authenticated.  So if both sides use it then it will be
verified and required to be correct.

As I consider the current behavior more I don't like the MIT server's
tendency to discard client channel bindings though.  I believe a
server should be able to require channel bindings.

More information about the Kerberos mailing list