Can't use NAT
donn at u.washington.edu
Fri Sep 27 17:37:01 EDT 2002
Quoth "Douglas E. Engert" <deengert at anl.gov>:
| Donn Cave wrote:
|> At present (in 1.2.6), a site that wants to support NAT to GSS ftp
|> on UNIX only needs to replace the channel binding parameter to
|> gss_accept_security_context() with GSS_C_NO_CHANNEL_BINDINGS, right?
| I think its more then that the client and server check each other.
| So both would have to turn off channel bindings. There was some talk about
| They don't actually send the IP addresses, but rather a checksum
| of the addresses.
It used to be that way. I don't know exactly when this change got
out of the dev branch, but in 1.2.6 - look at
lib/gssapi/krb5/accept_sec_context.c line 450, 2nd occurrence of
"GSS_C_NO_CHANNEL_BINDINGS". We use a slightly different version
of this code from an earlier krb5-current, and together with that
modification to ftpd.c, we can support unmodified "Fetch" from
behind NATs with noaddresses = true.
Donn Cave, donn at u.washington.edu
More information about the krbdev