heimdal http proxy

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue Sep 28 21:58:22 EDT 2021


>If all the proxy is doing is forwarding content, it might work. But in
>that case it’s not obvious how much security we’re gaining by the
>proxy. It may be that just enabling access directly to port 88 would be
>as good. (I control the network, mostly.) Any sense how risky it is to
>expose port 88 to the internet?

For what it's worth, we do.  Protocol wise, Kerberos is literally designed
to operate over untrusted networks, so I'm fine with the protocol being
accessible from the Internet.

Implementation-wise, the people I personally know who do that are running
one of the open-source Kerberos implementations.  It is my understanding
that Microsoft does NOT recommend opening the Kerberos port on your
domain controller to the Internet, but if you are making it available via
a web proxy I'm not sure how that doesn't qualify.  I'm not sure why
that is Microsoft's guidance (note that I have only heard that second
hand and I have not verified it).

--Ken


More information about the Kerberos mailing list