[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Combination of FTP, Kerberos 5, GSSAPI and NAT
Brian May wrote:
>
> On Thu, Dec 27, 2001 at 07:49:50PM +0100, Thomas Nystrom wrote:
> > My questions are:
> >
> > 1. Does anyone have any idea how to automatically figure out the
> > IP-address the local NAT machine have against the world.
>
> I don't think this can be done automatically. The problem is that the
> client never sees its external IP address.
>
> My personal preference would be to allow manually specifying a list of
> IP addresses to put in the ticket in /etc/krb5.conf on the client.
>
> This would fix some problems but not all, for instance, it would be OK
> if the outside IP address is constant.
>
Not completly right... This will solve the problem with the IP-address
inside the ticket itself. But for GSSAPI you should have exactly one
address specified and that MUST be the address the FTP server sees you
as. I am thinking about to add a special parameter to be used for GSSAPI
and it will make it work if the public IP-address is constant of the
NAT-GW.
> > 2. Is there any way to get GSSAPI to ignore the addresses during the
> > validation process?
>
> The kinit --no-addresses option is meant to request a ticket without
> any IP addresses, but its use (or so I have heard) is not recommended
> because of the decreased security(????) it provides.
Yes, that's right. I have to used that option to get a telnet session to
work. But GSSAPI does its own magic....
/thn
--
---------------------------------------------------------------
Svensk Aktuell Elektronik AB Thomas Nyström
Box 10 Phone: +46 8 35 92 85
S-191 21 Sollentuna Fax: +46 8 59 47 45 36
Sweden Email: thn@saeab.se
---------------------------------------------------------------