Using IP addresses as channel bindings: - doesn't work across NAT, - doesn't add security, - it's deprecated.
If at all possible just don't do it. (I know, FTP w/ GSS wants this, but the acceptor side of the Kerberos GSS mech ignores the initiator's CB if the acceptor application (i.e., the FTP server daemon) does not pass any CB as an argument to GSS_Accept_sec_context(). On the client side we should really just have an option to not do this at all, or maybe just not do it period. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
