A generic kerberizing project

Sam Hartman hartmans at MIT.EDU
Fri May 11 10:58:41 EDT 2007


Hi.  This is definitely a misuse of the krbdev at mit.edu list; your
question probably should have gone to kerberos at mit.edu.  I'll direct
replies there.  However I want to point out a couple of things.

If you are just using Kerberos to secure network traffic without
modifying existing applications take a look at RFC 4430.  That's
basically the protocol you are looking for between your two boxes.

However, the solution you propose has some significant security
problems.  In brief, the problem is that you are having authentication
going on at multpile levels: the Kerberos level with your box and the
level presumably using weaker authentication in the application
itself.
There are a lot of tricky issues to consider when doing this.
Take a look at http://tools.ietf.org/internet-drafts/draft-williams-on-channel-binding and http://tools.ietf.org/internet-drafts/draft-ietf-btns-prob-and-applic for descriptions of some of the issues.





More information about the Kerberos mailing list