Looking for a "Kerberos Router"?
Simo Sorce
simo at redhat.com
Wed Mar 13 16:47:51 EDT 2024
This is well tested:
https://github.com/latchset/kdcproxy
On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote:
>
> > Le 13 mars 2024 à 17:21, Ken Hornstein <kenh at cmf.nrl.navy.mil> a écrit :
> >
> > It does occur to me that maybe if you have different KDC hostnames but
> > the same IP address you could use TLS SNI or hostname routing which
> > you indicated you already use and maybe that would be simpler? That
> > presumes the client implementations set the SNI field (I see that it
> > does send a "Host" header, and it looks like MIT Kerberos does set the
> > SNI hostname).
>
> This is what I have in mind looking at the documentation of kkdcp (reading as exchanging here). Using SNI to select the KDC.
>
> I will give it a try, it looks like the option I need here.
>
> And yes, all of those complexities would have been avoided by network teams just supporting IPv6 and not blocking random ports for no reasons…
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc
More information about the Kerberos
mailing list