Kerberos use with a transparent security device
Richard E. Silverman
res at qoxp.net
Fri May 19 21:43:52 EDT 2006
>>>>> "IP" == "Ian Puleston" <ian at underpressuredivers.com> writes:
IP> Hi, I have a question as to whether Kerberos can be used to
IP> authenticate to a transparent network device such as a security
IP> appliance or firewall. Say you want the device to authenticate
IP> traffic as originating from a signed-on user before letting it
IP> pass, but the presence of the device is transparent to the users.
IP> My understanding, from reading the Kerberos standards, is that the
IP> Client/Server authentication exchange begins with a KRB_AP_REQ
IP> from the client, which means that the client must know of the
IP> presence of the server. Indeed there must be some mechanism
IP> whereby the client knows to initiate the exchange and send the
IP> KRB_AP_REQ. But in the scenario that I have described above, where
IP> the "server" is a transparent device on the network, that would
IP> not be the case.
IP> So, is there any way that Kerberos can be used to authenticate a
IP> client to such a transparent device?
This is a generic problem, not specific to Kerberos. One way to do it is
to have the firewall, in the unauthenticated state, usurp a particular
commonly used protocol that supports authentication. For example, the
firewall may intercept any use of HTTP and demand authentication by the
usual HTTP mechanisms. You could do the same here, if the firewall and
the browsers support SPNEGO/Kerberos authentication over HTTP.
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list