[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Combination of FTP, Kerberos 5, GSSAPI and NAT

On Thu, Dec 27, 2001 at 07:49:50PM +0100, Thomas Nystrom wrote:
> My questions are:
> 1.  Does anyone have any idea how to automatically figure out the
> IP-address the local NAT machine have against the world.

I don't think this can be done automatically. The problem is that the
client never sees its external IP address.

My personal preference would be to allow manually specifying a list of
IP addresses to put in the ticket in /etc/krb5.conf on the client.

This would fix some problems but not all, for instance, it would be OK
if the outside IP address is constant.

> 2.  Is there any way to get GSSAPI to ignore the addresses during the
> validation process?

The kinit --no-addresses option is meant to request a ticket without
any IP addresses, but its use (or so I have heard) is not recommended
because of the decreased security(????) it provides.
Brian May <bam@snoopy.apana.org.au>

PGP signature