Can't use NAT
smichaud at pobox.com
Fri Sep 27 18:50:01 EDT 2002
As of 1.2.5 and 1.2.6, the only remaining client-side NAT problem (as
far as I know) is with ftpd. I submitted a patch to krbdev on May 1,
2002 that fixes it. The patch works against both 1.2.5 and 1.2.6.
This patch is much simpler than the ones I submitted in August 2001
(and on April 10 2002) -- partly because telnetd and
gss_accept_sec_context now work fine, and partly because my latest
patch simply stops ftpd from ever using channel bindings. (My earlier
patches used either used command line options or an extension to the
GSSAPI to determine whether or not ftpd should use channel bindings.)
My May 1st patch backports changes Sam Hartman has committed to
krb5-current (i.e. to release 1.3).
Of course the client still needs to use addressless tickets.
On Fri, 27 Sep 2002, Donn Cave wrote:
> Quoth "Douglas E. Engert" <deengert at anl.gov>:
> | Donn Cave wrote:
> |> At present (in 1.2.6), a site that wants to support NAT to GSS ftp
> |> on UNIX only needs to replace the channel binding parameter to
> |> gss_accept_security_context() with GSS_C_NO_CHANNEL_BINDINGS, right?
> | I think its more then that the client and server check each other.
> | So both would have to turn off channel bindings. There was some talk about
> | They don't actually send the IP addresses, but rather a checksum
> | of the addresses.
> It used to be that way. I don't know exactly when this change got
> out of the dev branch, but in 1.2.6 - look at
> lib/gssapi/krb5/accept_sec_context.c line 450, 2nd occurrence of
> "GSS_C_NO_CHANNEL_BINDINGS". We use a slightly different version
> of this code from an earlier krb5-current, and together with that
> modification to ftpd.c, we can support unmodified "Fetch" from
> behind NATs with noaddresses = true.
> Donn Cave, donn at u.washington.edu
> krbdev mailing list krbdev at mit.edu
More information about the krbdev