can we FTP upload behind firewall and NAT

Douglas E. Engert deengert at anl.gov
Mon May 9 10:08:52 EDT 2005



Shih-Chieh Hsu wrote:
> Hi! Douglas,
> 
> Yes. I've tried passive but still faild.
> Only USER anonymous succeed login. However, I can only download file.
>

Looking closer, there is a channel binding message. This is similiar
to the addrssses in tickets, but is done by the applications passing
the binding information (i.e. the endpoint addresses) to gss.

I think newer versions of the FTP and FTPD can work without the
channel bindings, but older versions of FTPD may not. Its really upto the
client and server to agree on the use of channel bindings, and they
pass these to GSS. We had a mod to init_sec_context.c for windows at
one time to try and use the NAT box address in the bindings
(I remember seeing something similar on the mailing list too,
and there was discussion about using something like 0.0.0.1 and 0.0.0.2
as the endpoints.)

init_sec_context.c:


      /* compute the hash of the channel bindings */

+#ifdef _WIN32
+   /*
+    * Many times we are behind a firewall which is doing NAT
+    * such as at home on a PC.
+    * If the KRB5NATADDR is set, and our initiator addr starts
+    * with 198, and the acceptor address does not, i.e. its
+    * outside the firewall, we will then replace the initator
+    * address with the KRB5NATADDR.
+    */
+   if (chan_bindings !=  GSS_C_NO_CHANNEL_BINDINGS
+       && chan_bindings->initiator_addrtype == GSS_C_AF_INET
+       && chan_bindings->acceptor_addrtype == GSS_C_AF_INET
+       && chan_bindings->initiator_address.length == 4
+       && chan_bindings->acceptor_address.length == 4
+       && *((unsigned char *)chan_bindings->initiator_address.value) == 192
+       && *(((unsigned char *)chan_bindings->initiator_address.value)+1) == 168
+       && *((unsigned char *)chan_bindings->acceptor_address.value) != 192
+       && *(((unsigned char *)chan_bindings->acceptor_address.value)+1) != 168) {
+       char * ncp;
+       int i,n;
+       if (ncp = getenv("KRB5NATADDR")) {
+           for (i=0; i<4; i++) {
+               n = 0;
+               while (*ncp >= '0' && *ncp <='9') {
+                   n = n*10 + *ncp -'0';
+                   ncp++;
+               }
+               if (*ncp) ncp++;
+               nataddr[i] = n;
+           }
+           saved_addr = chan_bindings->initiator_address.value;
+           chan_bindings->initiator_address.value = nataddr;
+       }
+   }
+#endif
+
      if ((code = kg_checksum_channel_bindings(context, chan_bindings, &md5, 0)))
          return(code);
+#ifdef _WIN32
+   if (saved_addr) {
+       chan_bindings->initiator_address.value = saved_addr;
+   }
+#endif

      krb5_auth_con_set_req_cksumtype(context, ctx->auth_context,
                     CKSUMTYPE_KG_CB);


> Shih-Chieh
> 
> Douglas E. Engert wrote:
> 
>> Have you tried "passive"?
>>
>> Shih-Chieh Hsu wrote:
>>
>>> Hi!
>>>
>>> Does anyone ever succeed upload files to a kerberised server from
>>> a compute node behind a firewall and NAT.
>>>
>>> Here's the error message.
>>> 1.  I tried getting addressless credentials by doing 'kinit -n'.
>>> 2.  However, ftp gives me following error.
>>> GSSAPI accepted as authentication type
>>> GSSAPI error major: Incorrect channel bindings were supplied

Yes this looks like the address are being added.

>>> GSSAPI error minor: No error
>>> GSSAPI error: accepting context
>>> GSSAPI ADAT failed
>>> GSSAPI authentication failed
>>> KERBEROS_V4 accepted as authentication type
>>> Kerberos V4 krb_mk_req failed: You have no tickets cached
>>> Name (fcdfdata114.fnal.gov:schsu): schsu
>>> Password:
>>> Login failed.
>>> Remote system type is UNIX.
>>> Using binary mode to transfer files.
>>>
>>>
>>> many thanks,
>>>
>>> Shih-Chieh
>>> ps I've tried that anonymous with passive mode allow me download file.
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>>
>>
> 
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list