heimdal http proxy

Simo Sorce simo at redhat.com
Wed Sep 29 16:12:26 EDT 2021


On Wed, 2021-09-29 at 13:41 -0600, Grant Taylor wrote:
> On 9/28/21 2:31 PM, Charles Hedrick wrote:
> > If all the proxy is doing is forwarding content, it might work. But 
> > in that case it’s not obvious how much security we’re gaining 
> > by the proxy. It may be that just enabling access directly to port 
> > 88 would be as good. (I control the network, mostly.) Any sense how 
> > risky it is to expose port 88 to the internet?
> 
> I was assuming that the proxy would have it's own authentication 
> requirements.  Thus the proxy would act somewhat like a bouncer in front 
> of the KDC.
> 
> Somewhat like putting the KDC behind a VPN or SPI w/ port knocking.  -- 
> Allow people that have some modicum of knowledge access to the KDC while 
> preventing any Joe Random on the Internet from accessing the KDC.

In truth, most of the value for the proxy (MS-KKDCP style) is that it
uses a standard port open in most places, and wraps everything in TLS
so that most inspection from broken HTTP middleboxes is prevented).

There is the added TLS channel encryption that can prevent a lot of
MITM as well given the client SHOULD validate the certificate of the
proxy.

HTH,
Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc






More information about the Kerberos mailing list