gss_accept_sec_contextand channel binding in ftp

Markus Moeller huaraz at btinternet.com
Tue Jun 8 14:17:43 EDT 2004 

Sam,

So should I raise it as a bug ?

Thanks
Markus

"Sam Hartman" <hartmans at mit.edu> wrote in message
news:tsl7juindqc.fsf at konishi-polis.mit.edu...
> >>>>> "Markus" == Markus Moeller <huaraz at btinternet.com> writes:
>
>     Markus> What is the value of channel bindings if either
>     Markus> side(client and/or server) can ignore it by setting it to
>     Markus> GSS_C_NO_CHANNEL_BINDINGS ?  It seems to me a useless
>     Markus> functionality or do you have an example where it can be
>     Markus> used ?
>
>     Markus> Thanks Markus
>
>
>     Markus> "Sam Hartman" <hartmans at MIT.EDU> wrote in message
>     Markus> news:tslr7sroxz7.fsf at konishi-polis.mit.edu...
>     >> >>>>> "Markus" == Markus Moeller <huaraz at btinternet.com>
>     >> writes:
>     >>
>     Markus> I noticed that from MIT version 1.2.4 to 1.3.1 the
>     Markus> gss_accept_sec_context call has changed in ftpd.c. It is
>     Markus> now set to use always GSS_C_NO_CHANNEL_BINDINGS.  I also
>     Markus> noticed that changing the channel bindings in
>     Markus> gss_init_sec_context on the client doesn't create an error
>     Markus> I would expect.
>     >>  MIT assumes that null channel bindings on the server means
>     >> that any channel bindings are acceptable to that server,
>     >> including null.  draft-ietf-krb-wg-gssapi-cfx-xx.txt allows
>     >> this and has been approved for
>     Markus> publication by the IESG.
>     >>
>     Markus> I also see a different behaviour in my proftpd mod_gss
>     Markus> module. If the client uses gss_init_sec_context with
>     Markus> GSS_C_NO_CHANNEL_BINDINGS, the channel bindings settings
>     Markus> in gss_accept_sec_context on the server are ignored (e.g
>     Markus> if the server uses channel bindings with application data
>     Markus> set and the client used GSS_C_NO_CHANNEL_BINDINGS the
>     Markus> client can login)
>     >>
>     >>
>     >> It seems to be the way the code is written.  I'm not sure it is
>     >> to spec or a good idea.
>     >>
>     >> ________________________________________________ Kerberos
>     >> mailing list Kerberos at mit.edu
>     >> https://mailman.mit.edu/mailman/listinfo/kerberos
>     >>
>
>
>
>     Markus> ________________________________________________ Kerberos
>     Markus> mailing list Kerberos at mit.edu
>     Markus> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> P It's authenticated.  So if both sides use it then it will be
> verified and required to be correct.
>
> As I consider the current behavior more I don't like the MIT server's
> tendency to discard client channel bindings though.  I believe a
> server should be able to require channel bindings.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list