PPTP / L2TP with Kerberos -- what specs does it follow?
Benjamin Kaduk
kaduk at MIT.EDU
Sat Nov 29 15:48:43 EST 2014
Sorry to focus in on just a single offhand remark, but ...
On Fri, 28 Nov 2014, Frank Cusack wrote:
> implemented/supported/documented. It would require the KDC to be out in
> the open (to get the ticket used for the VPN auth) and most folks aren't
> going to do that.
... can you say more about *why* most folks aren't going to do that?
We have our KDC open to the public here at MIT, and the Kerberos protocol
is explicitly designed to be usable over public (untrusted) networks.
Now, if users are using weak passwords, this can cause problems, but there
are technologies to work around those as well, such as FAST tunnels or an
https proxy, or even passwordless authentication such as via PKINIT.
We would really like to understand better (and hopefully counter) this
idea that KDCs should not be exposed to the public internet.
Thanks,
Ben
More information about the Kerberos
mailing list