[3337] in Kerberos-V5-bugs
krb5-appl/1087: ftp clients can't connect to ftpd over a NAT
daemon@ATHENA.MIT.EDU (smch@midway.uchicago.edu)
Thu Apr 11 11:57:10 2002
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@mit.edu, smch@midway.uchicago.edu
Message-Id: <200204111554.g3BFs4P03836@kilroy.uchicago.edu>
From: smch@midway.uchicago.edu
Reply-To: smch@midway.uchicago.edu
To: krb5-bugs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Thu, 11 Apr 2002 10:54:04 -0500 (CDT)
>Number: 1087
>Category: krb5-appl
>Synopsis: ftp clients can't connect to ftpd over a NAT
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 11 11:55:00 EDT 2002
>Last-Modified:
>Originator: Steven Michaud
>Organization:
University of Chicago
Networking Services and Information Technologies
>Release: krb5-1.2.4
>Environment:
System: SunOS kilroy.uchicago.edu 5.8 Generic_108529-13 i86pc i386 i86pc
Architecture: i86pc
>Description:
If you try to connect to the MIT ftpd from a client that's connected
over a NAT server, the connection always fails. This is true even if
you're using addressless tickets. The message "failed accepting
context" appears in the system log of the server.
>How-To-Repeat:
See "Description"
>Fix:
Either of the two fixes contained in my message of 4-10-2002 to the
krbdev list (number 7042) would work. So would Sam Hartman's
suggestion (4-11, number 7046) to simply turn off all address checking
in ftpd (presumably by having it always specify
GSS_C_NO_CHANNEL_BINDINGS to gss_accept_context()). Sam Hartman's
suggestion is much simpler, and I actually now prefer it to either of
my own.
>Audit-Trail:
>Unformatted:
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
