krb5-appl/1087: ftp clients can't connect to ftpd over a NAT

[Steven Michaud]

It'd be _very_ nice if this change could get into release 1.2.5.  It
would remove the last major barrier to use of MIT Kerberos (or at
least of the services distributed with it (telnetd and ftpd)) from
clients connected to the Internet over a NAT.  A quick glance at your
own bugs list shows that NATs are getting more important.  Many people
would be grateful.  Judgeing from the recent discussion (or lack
thereof) on krbdev of my suggested fixes for telnetd and ftpd, there
won't be any objections.

Maybe you've decided to reserve it for 1.3 because you think it's a
new "feature".  But as I argued in the message accompanying my last
set of NAT patches, it's really a bug fix.  The NAT-friendly behavior
that ftpd will have after your patch is applied (and that telnetd now
has thanks to your rd_cred patch) is really implicit in the support
for addressless tickets which (I think) has been in Kerberos V5 since
the beginning (it's already present in RFC 1510).

I agree that mk_safe/rd_safe and mk_priv/rd_priv can't be changed so
easily -- if only because RFC 1510 requires that these use address
checking.  But these functions are hardly used at all in the MIT
distribution -- as best I can tell, they're only used to change
passwords (I don't count their use in the sample programs).  I wonder
how many other programs use them?

And yes, it's important to be able to change your password.  But at
least you have the option of telling NAT users to telnet in over an
encrypted connection and use kpasswd (or of writing a web page that
will let them change their Kerberos password over an SSL connection).

On Thu, 11 Apr 2002, Sam Hartman wrote:

> 
> 	`Sam Hartman' changed the state to `closed'.
> 
> 
> State-Changed-From-To: open-closed
> State-Changed-By: hartmans
> State-Changed-When: Thu Apr 11 16:41:02 2002
> State-Changed-Why:
> I've removed the channel bindings from  the ftpd accept_sec_context call on the mainline branche.
> 
> 
>