[NTLUG:Discuss] firewall and ftp problem

Chris Cox cjcox at acm.org
Fri Jan 25 10:03:46 CST 2002 

m m wrote:

> What/why is this mean?
> on Linux box
> KERBEROS_V4 rejected as an authentication type
> but ftp works
> and
> on windoz box
> 500 'AUTH GSSAPI': command not understood
> 500 'AUTH KERBEROS_V4': command not understood
> ftp did not work

M$ exploits an RFC for something called the GSSAPI that allows them
to develop a proprietary security policy under the guise of a public
RFC.  M$ uses GSSAPI (with their implementation underneath) as  their
way of doing something similar to the automatic key generation needed
to do automated secure operations on a network.

So.. my guess here is that M$ tries to use the high security authentication
first.. it fails (since you're not using M$) and then it falls back Kerberos
(again the M$ version of Kerberos probably), then finally falls back to the
virtually security-less normal ftp protocol.

I've never stumbled across this with ftp... but I have had my dealings
with M$ DNS, which also uses their GSSAPI for zone tranfers... something
that BIND does not support... the TSIG (md5 key) method in BIND
isn't supported by M$... (md5 keys are well documented... the implementation
of GSSAPI is under the typical M$ shroud).  I know for a fact that
the BIND team has requested the information from M$ on their
GSS underpinnings... and M$ has even replied that they are willing to 
help...
but they NEVER followed through (it's pretty low on M$'s priority list 
to help
another OS out).


>
>
>
> My box is RH 6.2 with 2.4.14 kernel.
> I use iptables doing ftp filter to Linux box and Windoz box,
> set regular port # (21) for Linux box and port 8021 for Windoz box.
> see below part of the firewall rules:
>
> -------------------------------------------------
> #!/bin/sh
> # Insert the required kernel modules
> modprobe iptable_nat
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
>
> iptables  -v -t nat -A POSTROUTING -s 192.168.1.0/24 -j  MASQUERADE
> iptables  -v -t nat -A POSTROUTING -d 12.237.96.67 -j  MASQUERADE
>
> # Note:There are more "reserved" networks, but these are the classical 
> ones.
>
> iptables -A PREROUTING -t nat -p tcp -d 12.23.196.167 \
>                         --dport 21 -j DNAT --to 192.168.1.3:21
> iptables -A PREROUTING -t nat -p tcp -d 12.23.196.167 \
>                         --dport 8021 -j DNAT --to 192.168.1.2:8021
>
> echo "firewall done."
> --------------------------------------------------------
>
> when I ftp use regular port, I get
>
> KERBEROS_V4 rejected as an authentication type
>
> but everything else works. I can transfer files.
> Does this KERBEROS_V4 rejected... matter? from any view point.
> below is the session of this ftp login:
>
> -----------------------------------------------
> [user at foobar user]$ ftp 12.23.196.167
> Connected to 12.23.196.167.
> 220 ftp.hsugroup.com FTP server (Version wu-2.6.0(1) Mon Feb 28 
> 10:30:36 EST 2000) ready.
> 530 Please login with USER and PASS.
> 530 Please login with USER and PASS.
> KERBEROS_V4 rejected as an authentication type
> Name (12.23.196.167:jc):
> -------------------------------------------------
>
> when I ftp use 8021 port, (set on firewall rule, and windoz box)  I get
>
> 500 'AUTH GSSAPI': command not understood
> 500 'AUTH KERBEROS_V4': command not understood
> KERBEROS_V4 rejected as an authentication type
> I can logon it but it doesn't work. I can not do anythings.
> below is the session of this ftp login:
>
> -------------------------------------------
> [jc at foobar jc]$ ftp 12.23.196.167 8021
> Connected to 12.23.196.167.
> 220 alph Microsoft FTP Service (Version 4.0).
> 500 'AUTH GSSAPI': command not understood
> 500 'AUTH KERBEROS_V4': command not understood
> KERBEROS_V4 rejected as an authentication type
> Name (12.23.196.167:user): uzd
> 331 Password required for uzd.
> Password:
> 230 User uzd logged in.
> Remote system type is Windows_NT.
> ftp> put zzz
> local: zzz remote: zzz
> 500 Invalid PORT Command.
> ftp: bind: Address already in use
> ftp> ls
> 500 Invalid PORT Command.
> ftp> dir
> 500 Invalid PORT Command.
> ftp>
> -----------------------------------------
>
> Can Anyone help
>
> sorry for the long description. I hope this make people see the 
> insight of my problem.
>
> TIA.
>
>
>
>
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list