[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Combination of FTP, Kerberos 5, GSSAPI and NAT


I am working with KTelnet and to get FTP work with GSSAPI
authentication. Everything works fine as long as I don't have NAT
involved. When NAT is involved the FTPD (Heimdal 0.4d for example)
responds with '535 foo?' to a ADAT. I have tracked it down to the
addresses my client supplies to GSSAPI for the authentication. I supply
the clients local IP-address, not the address the FTPD sees the client
as, remember NAT is involved and this causes the server to bail out.
BTW: Why such a informative message.... :-(

This is the same problem I solved (with some help) for Kerberos 4:
During NAT the client must figure out the IP-address it is seen as by
server. That was solved under Kerberos 4 by getting the user ticket and
decrypt it. With Kerberos 4 the KDC put in the IP-address in the icket
but this is not the situation for Kerberos 5.

My questions are:

1.  Does anyone have any idea how to automatically figure out the
IP-address the local NAT machine have against the world.

2.  Is there any way to get GSSAPI to ignore the addresses during the
validation process?

Svensk Aktuell Elektronik AB                     Thomas Nyström
Box 10                                    Phone: +46 8 35 92 85
S-191 21  Sollentuna                     Fax: +46 8 59 47 45 36
Sweden                                      Email: thn@saeab.se