[krbdev.mit.edu #2723] krb4 ftp fails in passive mode

[Miro Juri¹iæ via RT]

FTP with krb4 fails in passive mode. (See transcript below.) The error 
is that the server's encrypted data sent on passive data connections 
has the IP address 0.0.0.0 instead of the actual IP address of the 
server; as a result, when the client tries to decrypt the data using 
krb_rd_priv, IP check fails (because the check is being done against 
the correct server IP address provided by the client), and krb_rd_priv 
returns AP_MODIFIED.

hth

meeroh

meeroh at all-night-tool:~% kdestroy
meeroh at all-night-tool:~% kinit -4
meeroh at all-night-tool:~% ftp ftp.dialup.mit.edu
Connected to mass-toolpike.mit.edu.
220 mass-toolpike.mit.edu FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: No credentials cache found
GSSAPI error: initializing context
GSSAPI authentication failed
334 Using authentication type KERBEROS_V4; ADAT must follow
KERBEROS_V4 accepted as authentication type
Kerberos V4 authentication succeeded
200 Data channel protection level set to private.
Name (ftp.dialup.mit.edu:meeroh):
331 Kerberos user meeroh at ATHENA.MIT.EDU is authorized as meeroh; 
Password required.
Password:
230 User meeroh logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (18,7,16,71,162,15)
150 Opening ASCII mode data connection for /bin/ls.
krb_rd_priv failed for KERBEROS_V4 (Message integrity error 
(krb_rd_req))
226 Transfer complete.
ftp> quit

--

<http://web.meeroh.org/> | KB1FMP

"And when I have understanding of computers, I shall be
         the supreme being!" -- Evil, "Time Bandits"