|
Computing
These pathces are most likely quite outdated now.
NAT with kth-krb4 1.2.2 and AFS
Some patches that makes ftp in the kth-krb4 1.2.2 distribution work through NAT when you are using the AFS (or OpenAFS) kaserver. Apply the patches with:
patch -p0 < krb4-1.2.2_epsv.patch
patch -p0 < krb4-1.2.2_afsnat.patch
A, yes, and in case you wonder; the official kth-krb4 page is here.
- krb4-1.2.2_epsv.patch. Patches the EPSV bug in appl/ftp/ftp/ftp.c
The PASV directive in an ftp session gives a reply on the form:
227 Entering Passive Mode (193,166,3,2,209,152)
This gives an explicit IP-adress wich is not optimal in cases where NAT is involved. This is why EPSV was invented, instead just returning a port:
229 Entering Extended Passive Mode (|||32784|)
In the appl/ftp/ftp.c line 392, a common path of excecution is taken upon a 227 or 229 reply, copying wathever follows the '(' into the variable 'pasv'. When parsing this variable in 'parse_pasv' ftp.c line 1177 the ')' following the comma-separated list of values is correctly ignored.
However, when instead parsing an EPSV reply in 'parse_epsv' in ftp.c on line 1160, the code explicitly (and surprisingly) denies to parse a 'pasv' variable that does not terminite directly after the last separator (i.e., it don't like the ')'-character that is found in the end). The following patch simply removes this check, which seems unnessecary and inconsistent with how 'parse_pasv' works (which must be older).
- krb4-1.2.2_afsnat.patch. Patches the kerberos library to store NAT information when
authenticating to the OpenAFS kaserver and 'nat_in_use' is set.
It seems to me that at some point the kth-krb4 was extended to handle generic password->key-functions; probably to make it compatible with the AFS kaserver as well as MIT-krb4 servers. This is seen in the lib/krb/get_in_tkt.c as the 'krb_get_pw_in_tkt' has been extended into a 'krb_get_pw_in_tkt2' which I belive was put there to make it possible to write code that can re-use the key obtained from the (right) password->key algorithm, and thus write code using this key, hence being compatible with both the original krb4-server and other password->key algorithms (eg., the AFS kaserver).
However, the NAT-handling code in lib/krb/krb_ip_realm.c called from line 169 in get_in_tkt.c is not written to make use of this functionality. My patch below extend the 'krb_add_our_ip_for_realm' function into a 'krb_add_our_ip_for_realm2' in a similar way as was done for the 'krb_get_pw_in_tkt', to add this functionality, and changes 'krb_get_pw_in_tkt2' to call the new version of this function.