Combination of FTP, Kerberos 5, GSSAPI and NAT

[Thomas Nystrom <thn@saeab.se>]

Sigh.

I am working with KTelnet and to get FTP work with GSSAPI
authentication. Everything works fine as long as I don't have NAT
involved. When NAT is involved the FTPD (Heimdal 0.4d for example)
responds with '535 foo?' to a ADAT. I have tracked it down to the
addresses my client supplies to GSSAPI for the authentication. I supply
the clients local IP-address, not the address the FTPD sees the client
as, remember NAT is involved and this causes the server to bail out.
BTW: Why such a informative message.... :-(

This is the same problem I solved (with some help) for Kerberos 4:
During NAT the client must figure out the IP-address it is seen as by
the
server. That was solved under Kerberos 4 by getting the user ticket and
decrypt it. With Kerberos 4 the KDC put in the IP-address in the icket
but this is not the situation for Kerberos 5.

My questions are:

1.  Does anyone have any idea how to automatically figure out the
IP-address the local NAT machine have against the world.

2.  Is there any way to get GSSAPI to ignore the addresses during the
validation process?

/thn
--
---------------------------------------------------------------
Svensk Aktuell Elektronik AB                     Thomas Nyström
Box 10                                    Phone: +46 8 35 92 85
S-191 21  Sollentuna                     Fax: +46 8 59 47 45 36
Sweden                                      Email: thn@saeab.se
---------------------------------------------------------------