can we FTP upload behind firewall and NAT - Kerberos

This is a discussion on can we FTP upload behind firewall and NAT - Kerberos ; Hi! Does anyone ever succeed upload files to a kerberised server from a compute node behind a firewall and NAT. Here's the error message. 1. I tried getting addressless credentials by doing 'kinit -n'. 2. However, ftp gives me following ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: can we FTP upload behind firewall and NAT

  1. can we FTP upload behind firewall and NAT

    Hi!

    Does anyone ever succeed upload files to a kerberised server from
    a compute node behind a firewall and NAT.

    Here's the error message.
    1. I tried getting addressless credentials by doing 'kinit -n'.
    2. However, ftp gives me following error.
    GSSAPI accepted as authentication type
    GSSAPI error major: Incorrect channel bindings were supplied
    GSSAPI error minor: No error
    GSSAPI error: accepting context
    GSSAPI ADAT failed
    GSSAPI authentication failed
    KERBEROS_V4 accepted as authentication type
    Kerberos V4 krb_mk_req failed: You have no tickets cached
    Name (fcdfdata114.fnal.gov:schsu): schsu
    Password:
    Login failed.
    Remote system type is UNIX.
    Using binary mode to transfer files.


    many thanks,

    Shih-Chieh
    ps I've tried that anonymous with passive mode allow me download file.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: can we FTP upload behind firewall and NAT

    Hi! Douglas,

    Yes. I've tried passive but still faild.
    Only USER anonymous succeed login. However, I can only download file.

    Shih-Chieh

    Douglas E. Engert wrote:

    > Have you tried "passive"?
    >
    > Shih-Chieh Hsu wrote:
    >
    >> Hi!
    >>
    >> Does anyone ever succeed upload files to a kerberised server from
    >> a compute node behind a firewall and NAT.
    >>
    >> Here's the error message.
    >> 1. I tried getting addressless credentials by doing 'kinit -n'.
    >> 2. However, ftp gives me following error.
    >> GSSAPI accepted as authentication type
    >> GSSAPI error major: Incorrect channel bindings were supplied
    >> GSSAPI error minor: No error
    >> GSSAPI error: accepting context
    >> GSSAPI ADAT failed
    >> GSSAPI authentication failed
    >> KERBEROS_V4 accepted as authentication type
    >> Kerberos V4 krb_mk_req failed: You have no tickets cached
    >> Name (fcdfdata114.fnal.gov:schsu): schsu
    >> Password:
    >> Login failed.
    >> Remote system type is UNIX.
    >> Using binary mode to transfer files.
    >>
    >>
    >> many thanks,
    >>
    >> Shih-Chieh
    >> ps I've tried that anonymous with passive mode allow me download file.
    >>
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>
    >>
    >>

    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: can we FTP upload behind firewall and NAT



    Shih-Chieh Hsu wrote:
    > Hi! Douglas,
    >
    > Yes. I've tried passive but still faild.
    > Only USER anonymous succeed login. However, I can only download file.
    >


    Looking closer, there is a channel binding message. This is similiar
    to the addrssses in tickets, but is done by the applications passing
    the binding information (i.e. the endpoint addresses) to gss.

    I think newer versions of the FTP and FTPD can work without the
    channel bindings, but older versions of FTPD may not. Its really upto the
    client and server to agree on the use of channel bindings, and they
    pass these to GSS. We had a mod to init_sec_context.c for windows at
    one time to try and use the NAT box address in the bindings
    (I remember seeing something similar on the mailing list too,
    and there was discussion about using something like 0.0.0.1 and 0.0.0.2
    as the endpoints.)

    init_sec_context.c:


    /* compute the hash of the channel bindings */

    +#ifdef _WIN32
    + /*
    + * Many times we are behind a firewall which is doing NAT
    + * such as at home on a PC.
    + * If the KRB5NATADDR is set, and our initiator addr starts
    + * with 198, and the acceptor address does not, i.e. its
    + * outside the firewall, we will then replace the initator
    + * address with the KRB5NATADDR.
    + */
    + if (chan_bindings != GSS_C_NO_CHANNEL_BINDINGS
    + && chan_bindings->initiator_addrtype == GSS_C_AF_INET
    + && chan_bindings->acceptor_addrtype == GSS_C_AF_INET
    + && chan_bindings->initiator_address.length == 4
    + && chan_bindings->acceptor_address.length == 4
    + && *((unsigned char *)chan_bindings->initiator_address.value) == 192
    + && *(((unsigned char *)chan_bindings->initiator_address.value)+1) == 168
    + && *((unsigned char *)chan_bindings->acceptor_address.value) != 192
    + && *(((unsigned char *)chan_bindings->acceptor_address.value)+1) != 168) {
    + char * ncp;
    + int i,n;
    + if (ncp = getenv("KRB5NATADDR")) {
    + for (i=0; i<4; i++) {
    + n = 0;
    + while (*ncp >= '0' && *ncp <='9') {
    + n = n*10 + *ncp -'0';
    + ncp++;
    + }
    + if (*ncp) ncp++;
    + nataddr[i] = n;
    + }
    + saved_addr = chan_bindings->initiator_address.value;
    + chan_bindings->initiator_address.value = nataddr;
    + }
    + }
    +#endif
    +
    if ((code = kg_checksum_channel_bindings(context, chan_bindings, &md5, 0)))
    return(code);
    +#ifdef _WIN32
    + if (saved_addr) {
    + chan_bindings->initiator_address.value = saved_addr;
    + }
    +#endif

    krb5_auth_con_set_req_cksumtype(context, ctx->auth_context,
    CKSUMTYPE_KG_CB);


    > Shih-Chieh
    >
    > Douglas E. Engert wrote:
    >
    >> Have you tried "passive"?
    >>
    >> Shih-Chieh Hsu wrote:
    >>
    >>> Hi!
    >>>
    >>> Does anyone ever succeed upload files to a kerberised server from
    >>> a compute node behind a firewall and NAT.
    >>>
    >>> Here's the error message.
    >>> 1. I tried getting addressless credentials by doing 'kinit -n'.
    >>> 2. However, ftp gives me following error.
    >>> GSSAPI accepted as authentication type
    >>> GSSAPI error major: Incorrect channel bindings were supplied


    Yes this looks like the address are being added.

    >>> GSSAPI error minor: No error
    >>> GSSAPI error: accepting context
    >>> GSSAPI ADAT failed
    >>> GSSAPI authentication failed
    >>> KERBEROS_V4 accepted as authentication type
    >>> Kerberos V4 krb_mk_req failed: You have no tickets cached
    >>> Name (fcdfdata114.fnal.gov:schsu): schsu
    >>> Password:
    >>> Login failed.
    >>> Remote system type is UNIX.
    >>> Using binary mode to transfer files.
    >>>
    >>>
    >>> many thanks,
    >>>
    >>> Shih-Chieh
    >>> ps I've tried that anonymous with passive mode allow me download file.
    >>>
    >>> ________________________________________________
    >>> Kerberos mailing list Kerberos@mit.edu
    >>> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>>
    >>>
    >>>

    >>

    >
    >
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread