Can't use NAT

Donn Cave donn at
Fri Sep 27 17:37:01 EDT 2002

Quoth "Douglas E. Engert" <deengert at>:
| Donn Cave wrote:
|> At present (in 1.2.6), a site that wants to support NAT to GSS ftp
|> on UNIX only needs to replace the channel binding parameter to
|> gss_accept_security_context() with GSS_C_NO_CHANNEL_BINDINGS, right?
| I think its more then that the client and server check each other.
| So both would have to turn off channel bindings. There was some talk about 
| They don't actually send the IP addresses, but rather a checksum
| of the addresses. 

It used to be that way.  I don't know exactly when this change got
out of the dev branch, but in 1.2.6 - look at
lib/gssapi/krb5/accept_sec_context.c line 450, 2nd occurrence of
"GSS_C_NO_CHANNEL_BINDINGS".  We use a slightly different version
of this code from an earlier krb5-current, and together with that
modification to ftpd.c, we can support unmodified "Fetch" from
behind NATs with noaddresses = true.

	Donn Cave, donn at

More information about the krbdev mailing list