What is the interaction for Kerberos in a proxy environment?

chen dong chendong.jy at gmail.com
Tue Mar 21 18:23:47 EDT 2017


I am not sure that my statement is right here. If I am wrong, please
correct me.

As Kerberos protocol works atop of TCP protocol. Kerberos protocol has its
own different implementation such MIT Kerberos. And on top of Kerberos,
there is a virtual layer SASL - simple authentication and security layer,
this SASL layer can use different mechanism including Kerberos. There is a
up layer implementation called GSSAPI - generic security system API. It
also holds different mechanisms underneath including Kerberos. no sure the
relation ship between SASL and GSSAPI.

Per my understanding about Kerberos implementation, it is all inside the
TCP. I haven't checked the implementation but I guess that Kerberos TGT is
sent by the client to the kerberized service over TCP. My question is how
does this happen in a Proxy-in-the-middle environment? How does the
kerberized service know that the Proxy-in-the-middle is trusted, and which
client the request is from? In the client side, how can the client know
where the kerberized service is and where is the Proxy-in-the-middle?


Regards,

Dong


More information about the Kerberos mailing list