heimdal http proxy

Ken Hornstein kenh at cmf.nrl.navy.mil
Sun Sep 12 11:11:18 EDT 2021


>The hope is that the proxy will read requests and validate them. Thus
>passing through the proxy would be less dangerous that exposing port 88
>directly.  If that’s not true, we should consider the risks of making
>port 88 available, or give up.

I'm curious as to exactly what validation for requests you think the
HTTP proxy is doing that the KDC is not.  The only meaningful validation
I can think of would require the proxy to handle all of the functions
of the KDC itself (and honestly, I suspect the only validation that the
proxy is doing is, "Looks like a valid HTTP request that doesn't have
any of the common SQL injection attacks in the URL").  I mean, I've
certainly been in the situation where we are required to do something
dumb to satisfy a overly-broad security requirement, but I always try
to acknowledge the dumbness.

--Ken


More information about the Kerberos mailing list