Kerberos outside the firewall

Russ Allbery eagle at
Mon Dec 1 23:13:46 EST 2014

"Nordgren, Bryce L -FS" <bnordgren at> writes:

> I am not speaking hypothetically or "generally". The meat and potatoes
> of this research organization is to collaborate with external users who
> cannot access our VPN. To share Terabytes of data. And process it. With
> something that's not a website. The absolute number one obstacle to
> getting work done is exactly the sentiment you just expressed.

Yeah, you're definitely looking for AFS.

No idea if you can politically deploy it, but this is *exactly* the use
case that AFS was designed to solve, and what it's used for extensively in
the high energy physics community.

But yeah, you're going to need cross-realm Kerberos in order to be able to
do it.

> I would also be willing to bet that the lack of Kerberos IDs outside the
> firewall is due to this sentiment running rampant.  If there's nothing
> to be gained by exposing the KDC, why do it?  It's not necessarily a
> lack of education, it could merely be due to the belief that the primary
> consumers of Kerberos IDs are things which are not allowed outside of
> their VPN.  That is a self-fulfilling prophecy which affords no
> opportunity for correction.

My point is that the file service is much harder to secure than Kerberos.
I get that you have management who apparently have no idea what they're
talking about but are still making security decisions, and that's, alas,
really common in this space.  That's partly Ken's point as well, and there
are some really unfortunate misconceptions created by the way that Active
Directory tends to mix all this together alongside things that are more
vulnerable to attack.  But if one understands the protocols involved, one
gets very dubious about the idea that exposing the file servers is safe
and exposing Kerberos is not.

Yeah, I know you can make lots of arguments about how Kerberos can be used
to access other things, and is the keys to the kingdom, and the file
servers are more limited, and so forth, but none of them really hold water
for me at least.  There are other ways to work around those problems, and
Kerberos is really pretty easy to secure; the protocol surface is not
large, and you can still rely on network proximity and multifactor for the
VPN to protect other critical things.  I don't think it's the likely
attack vector.  We always exposed Kerberos directly to the Internet at

Russ Allbery (eagle at              <>

More information about the Kerberos mailing list