[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Combination of FTP, Kerberos 5, GSSAPI and NAT

To: Thomas Nystrom <thn@saeab.se>
Subject: Re: Combination of FTP, Kerberos 5, GSSAPI and NAT
From: Brian May <bam@snoopy.apana.org.au>
Date: Fri, 28 Dec 2001 09:21:13 +1100
Cc: heimdal-discuss@sics.se
In-Reply-To: <3C2B6D4E.2DAD@saeab.se>
References: <3C2B6D4E.2DAD@saeab.se>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mutt/1.3.24i

On Thu, Dec 27, 2001 at 07:49:50PM +0100, Thomas Nystrom wrote:
> My questions are:
> 
> 1.  Does anyone have any idea how to automatically figure out the
> IP-address the local NAT machine have against the world.

I don't think this can be done automatically. The problem is that the
client never sees its external IP address.

My personal preference would be to allow manually specifying a list of
IP addresses to put in the ticket in /etc/krb5.conf on the client.

This would fix some problems but not all, for instance, it would be OK
if the outside IP address is constant.

> 2.  Is there any way to get GSSAPI to ignore the addresses during the
> validation process?

The kinit --no-addresses option is meant to request a ticket without
any IP addresses, but its use (or so I have heard) is not recommended
because of the decreased security(????) it provides.
-- 
Brian May <bam@snoopy.apana.org.au>

PGP signature

Follow-Ups:
- Re: Combination of FTP, Kerberos 5, GSSAPI and NAT
  - From: Thomas Nystrom <thn@saeab.se>

References:
- Combination of FTP, Kerberos 5, GSSAPI and NAT
  - From: Thomas Nystrom <thn@saeab.se>

Prev by Date: Combination of FTP, Kerberos 5, GSSAPI and NAT
Next by Date: Re: Combination of FTP, Kerberos 5, GSSAPI and NAT
Prev by thread: Combination of FTP, Kerberos 5, GSSAPI and NAT
Next by thread: Re: Combination of FTP, Kerberos 5, GSSAPI and NAT
Index(es):
- Date
- Thread