[EMAIL PROTECTED] (Jeffrey Altman) writes:
> than adding addresses into the ticket from the client side.
No, but the problem here is that you quite often can't know what
addresses to add. Something living on the outside of the NAT can.
/Johan
In article <[EMAIL PROTECTED]>,
Johan Danielsson <[EMAIL PROTECTED]> wrote:
: Jeffrey Altman <[EMAIL PROTECTED]> writes:
:
: It will work just as well if the kdc and the service is on different
: sides of the nat, that is not at all.
:
: In the other configurations it works much better.
:
: > S
Jeffrey Altman <[EMAIL PROTECTED]> writes:
It will work just as well if the kdc and the service is on different
sides of the nat, that is not at all.
In the other configurations it works much better.
> So the often time suggested KDC solution is no better.
Than what?
/Johan
In article <9inr86$pe2$[EMAIL PROTECTED]>,
Donn Cave <[EMAIL PROTECTED]> wrote:
: The MIT 1.2.2 ftpd does require channel bindings. I tried it with
: the MIT client, and no channel bindings = bad channel bindings.
:
That is a shame. A patch for this was submitted to krb5-current.
Obviously, it
Quoth [EMAIL PROTECTED] (Jeffrey Altman):
| In article <9ini6j$h1k$[EMAIL PROTECTED]>,
| Donn Cave <[EMAIL PROTECTED]> wrote:
(quoting jaltman)
|: | FTP GSSAPI-KRB5 does not require Channel Bindings. Any server
|: | that requires Channel Bindings is out of spec. Versions of MIT
|: | Kerberos FT
In article <9ini6j$h1k$[EMAIL PROTECTED]>,
Donn Cave <[EMAIL PROTECTED]> wrote:
: | FTP GSSAPI-KRB5 does not require Channel Bindings. Any server
: | that requires Channel Bindings is out of spec. Versions of MIT
: | Kerberos FTPd had this bug. The current release does not.
:
: Thanks, I che
Quoth [EMAIL PROTECTED] (Jeffrey Altman):
| In article <9ikkkt$qce$[EMAIL PROTECTED]>,
| Donn Cave <[EMAIL PROTECTED]> wrote:
|: I understand that has been working for most applications. The only
|: problem seems to be ftp (Fetch), where GSS channel bindings bring
|: the local address back
> [EMAIL PROTECTED] (Jeffrey Altman) writes:
>
> > If you can describe a good way to write the rule that says, replace
> > address FOO with address NAT we can certainly make the change in the code.
> > The problem in most cases is that there is no good way to know what
> > the NAT address is in
[EMAIL PROTECTED] (Jeffrey Altman) writes:
> If you can describe a good way to write the rule that says, replace
> address FOO with address NAT we can certainly make the change in the code.
> The problem in most cases is that there is no good way to know what
> the NAT address is in the first p
In article <[EMAIL PROTECTED]>,
Michael Thomas <[EMAIL PROTECTED]> wrote:
: [EMAIL PROTECTED] (Jeffrey Altman) writes:
: > Now this wraps the forwarded credentials in an auth context which
: > is bound to the local address/port and remote address/port. There is
: > no method that allows you to p
In article <9ikkkt$qce$[EMAIL PROTECTED]>,
Donn Cave <[EMAIL PROTECTED]> wrote:
: If you're going to configure Kerberos for a several thousand people
: whose ISPs are pushing NATs, and who have only a glimmer of a notion
: what that means and will be using a variety of implementations, and
: whos
Quoth Russ Allbery <[EMAIL PROTECTED]>:
| Jeffrey Altman <[EMAIL PROTECTED]> writes:
|
| > If you can describe a good way to write the rule that says, replace
| > address FOO with address NAT we can certainly make the change in the
| > code. The problem in most cases is that there is no good way
In article <[EMAIL PROTECTED]>,
Russ Allbery <[EMAIL PROTECTED]> wrote:
: Jeffrey Altman <[EMAIL PROTECTED]> writes:
:
: > If you can describe a good way to write the rule that says, replace
: > address FOO with address NAT we can certainly make the change in the
: > code. The problem in most c
[EMAIL PROTECTED] (Jeffrey Altman) writes:
> Now this wraps the forwarded credentials in an auth context which
> is bound to the local address/port and remote address/port. There is
> no method that allows you to perform this binding and say
>
> hey wait a minute, whenever you see the local ad
Jeffrey Altman <[EMAIL PROTECTED]> writes:
> If you can describe a good way to write the rule that says, replace
> address FOO with address NAT we can certainly make the change in the
> code. The problem in most cases is that there is no good way to know
> what the NAT address is in the first pl
In article <[EMAIL PROTECTED]>,
Jianlin Chang <[EMAIL PROTECTED]> wrote:
: Searching through the Kerberos mailing list archive, especially the thread
: on subject 'Patch for making Kerberos work through Firewalls and NATs', it
: seems to indicate that there are still a number of problems, e.g, tic
t seem to see a
solution from the those emails. Thanks.
>-Original Message-
>From: Turbo Fredriksson [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, June 20, 2001 12:55 PM
>To: Jianlin Chang
>Cc: [EMAIL PROTECTED]
>Subject: Re: using Kerberos V5 with netw
17 matches
Mail list logo