Looking for a "Kerberos Router"?

Simo Sorce simo at redhat.com
Wed Mar 13 16:47:51 EDT 2024


This is well tested:
https://github.com/latchset/kdcproxy


On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote:
> 
> > Le 13 mars 2024 à 17:21, Ken Hornstein <kenh at cmf.nrl.navy.mil> a écrit :
> > 
> > It does occur to me that maybe if you have different KDC hostnames but
> > the same IP address you could use TLS SNI or hostname routing which
> > you indicated you already use and maybe that would be simpler?  That
> > presumes the client implementations set the SNI field (I see that it
> > does send a "Host" header, and it looks like MIT Kerberos does set the
> > SNI hostname).
> 
> This is what I have in mind looking at the documentation of kkdcp (reading as exchanging here). Using SNI to select the KDC.
> 
> I will give it a try, it looks like the option I need here.
> 
> And yes, all of those complexities would have been avoided by network teams just supporting IPv6 and not blocking random ports for no reasons…
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


-- 
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc











More information about the Kerberos mailing list