- proftpd since version 1.3.6 no longer declares

[Sashan]

IPv6 support as 'USE_IPV6'. gssmod should use PR_USE_IPV6 instead

[Sashan]

I also have a question on channel bindings. I'd like to know how is it supposed to work. Let me share the story I can see first.

Prior bug got fixed I could see error message as follows in debug logs:

GSSAPI Unknown local address family

This way I've quickly discovered modgss does not pick IPv6 support correctly. However things don't work even if I apply the patch from this pull request. I still need to adjust proftpd.conf. I either have to disable IPv6 UseIPv6 off, or I have to disable channel bindings (by either setting GSSOptions AllowFWNAT or using GSSOptions NoChannelBinding).

This is what I get on client side:

Connected to foo.vm-sashan.cz.oracle.com.
220 ProFTPD Server (foo) [::ffff:192.168.1.65]
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
421 Service not available, remote server has closed connection

This is what I get in debug log in server:

dispatching CMD command 'ADAT (hidden)' to mod_gss
GSSAPI Channel Binding: remote IPv4 family
GSSAPI Channel Binding: local IPv4 mapped in IPv6 family

I have no clue where else I should poke to obtain more hints.

[huaraz]

Hi Sashan, I haven’done any development work it for some time. I need to setup a IPV6 server and do some tests. It will take a bit before I can respond with details. Kind Regards Markus From: Sashan Sent: Monday, October 7, 2019 10:16 PM To: huaraz/gssmod Cc: Subscribed Subject: Re: [huaraz/gssmod] - proftpd since version 1.3.6 no longer declares (#3) I also have a question on channel bindings. I'd like to know how is it supposed to work. Let me share the story I can see first. Prior bug got fixed I could see error message as follows in debug logs: GSSAPI Unknown local address family This way I've quickly discovered modgss does not pick IPv6 support correctly. However things don't work even if I apply the patch from this pull request. I still need to adjust proftpd.conf. I either have to disable IPv6 UseIPv6 off, or I have to disable channel bindings (by either setting GSSOptions AllowFWNAT or using GSSOptions NoChannelBinding). This is what I get on client side: Connected to foo.vm-sashan.cz.oracle.com. 220 ProFTPD Server (foo) [::ffff:192.168.1.65] 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type 421 Service not available, remote server has closed connection This is what I get in debug log in server: dispatching CMD command 'ADAT (hidden)' to mod_gss GSSAPI Channel Binding: remote IPv4 family GSSAPI Channel Binding: local IPv4 mapped in IPv6 family I have no clue where else I should poke to obtain more hints. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[huaraz]

Which ftp client do you use ?

Channel binding is defines as:

The chan_bindings input to GSS_Init_Sec_Context and
GSS_Accept_Sec_Context should use the client internet address and
server internet address as the initiator and acceptor addresses,
respectively. The address type for both should be GSS_C_AF_INET. No
application data should be specified.

So if there is NAT the client/server does not see the others real IP to put it into the binding data.

It also says it should be GSS_C_AF_INET but in V6 it is GSS_C_AF_INET6

Markus

[Sashan]

sorry I was not specific enough in my earlier comment.

Which ftp client do you use ?

I'm using the one, which is bundled with Solaris. The same can be found in illumos

respectively. The address type for both should be GSS_C_AF_INET. No
application data should be specified.

So if there is NAT the client/server does not see the others real IP to put it into the binding data.

It also says it should be GSS_C_AF_INET but in V6 it is GSS_C_AF_INET6

I have not tried that with IPv6 yet. I'm dealing with case, where proftpd server is listening on all IP addresses (IPv6 and IPv4). The client connects from IPv4 address. There is no NAT involved. The proftpd server sees both addresses as IPv4 address mapped to IPv6 address (e.g. 192.168.1.50 -> ::ffff:192.168.1.65).

The client and server are both using MIT kerberos (1.16.1).

Thank you for your clarification on channel binding. So it looks like the server/client fail to establish channel binding, when they deal with IPv4 mapped to IPv6. I'll keep poking and will let you know once I'll find something.

[huaraz]

Looking at the client source at https://github.com/illumos/illumos-gate/blob/master/usr/src/cmd/cmd-inet/usr.bin/ftp/auth.c I see the channel binding is only for ipv4 i.e. I don't see anything for IPV6. My code tries to detect ipv4 in ipv6 to set the right channel bindings.

        case AF_INET6:
            pr_log_debug(DEBUG9, "GSSAPI Channel Binding: remote %sIPv6 family",pr_netaddr_is_v4mappedv6(session.c->remote_addr)?"IPv4 mapped in ":"");
            if (pr_netaddr_is_v4mappedv6(session.c->remote_addr)) {
                chan->initiator_addrtype = GSS_C_AF_INET;
                chan->initiator_address.length = pr_netaddr_get_inaddr_len(session.c->remote_addr)-12;
                chan->initiator_address.value = get_v4inaddr(session.c->remote_addr);
             } else {
                chan->initiator_addrtype = af_inet6;
                chan->initiator_address.length = pr_netaddr_get_inaddr_len(session.c->remote_addr);
                chan->initiator_address.value = pr_netaddr_get_inaddr(session.c->remote_addr);
            }
            break;

if this does not work you may have to disable IPV6 in proftpd.

Markus

[Sashan]

I think I've root casued the issue, see details in #4