Kerberos outside the firewall

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Mon Dec 1 22:25:36 EST 2014


> But desktop/workstation logins and fileservers are generally *also* not
> allowed outside of a VPN, so I don't understand what you're gaining.

There simply is no one VPN to cover all the actors.

I am not speaking hypothetically or "generally". The meat and potatoes of this research organization is to collaborate with external users who  cannot access our VPN. To share Terabytes of data. And process it. With something that's not a website. The absolute number one obstacle to getting work done is exactly the sentiment you just expressed. I would also be willing to bet that the lack of Kerberos IDs outside the firewall is due to this sentiment running rampant. If there's nothing to be gained by exposing the KDC, why do it? It's not necessarily a lack of education, it could merely be due to the belief that the primary consumers of Kerberos IDs are things which are not allowed outside of their VPN. That is a self-fulfilling prophecy which affords no opportunity for correction.

Hence, issuing a TGT to an ID which _is_ exposed.

Bryce




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.



More information about the Kerberos mailing list