gssftp channel bindingg with ipv6

Nico Williams nico at cryptonector.com
Mon Aug 27 13:16:32 EDT 2012


Using IP addresses as channel bindings:

 - doesn't work across NAT,
 - doesn't add security,
 - it's deprecated.

If at all possible just don't do it.  (I know, FTP w/ GSS wants this,
but the acceptor side of the Kerberos GSS mech ignores the initiator's
CB if the acceptor application (i.e., the FTP server daemon)  does not
pass any CB as an argument to GSS_Accept_sec_context().  On the client
side we should really just have an option to not do this at all, or
maybe just not do it period.

Nico
--


More information about the Kerberos mailing list