Looking for a "Kerberos Router"?
Brent Kimberley
Brent.Kimberley at Durham.ca
Wed Mar 13 17:41:58 EDT 2024
To the best of my knowledge, all IPV6 ports should be closed by design and only opened if/when approved.
-----Original Message-----
From: Kerberos <kerberos-bounces at mit.edu> On Behalf Of Simo Sorce
Sent: Wednesday, March 13, 2024 4:48 PM
To: Yoann Gini <yoann.gini at gmail.com>; Ken Hornstein <kenh at cmf.nrl.navy.mil>
Cc: kerberos at mit.edu
Subject: Re: Looking for a "Kerberos Router"?
[You don't often get email from simo at redhat.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
This is well tested:
https://github.com/latchset/kdcproxy
On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote:
>
> > Le 13 mars 2024 à 17:21, Ken Hornstein <kenh at cmf.nrl.navy.mil> a écrit :
> >
> > It does occur to me that maybe if you have different KDC hostnames
> > but the same IP address you could use TLS SNI or hostname routing
> > which you indicated you already use and maybe that would be simpler?
> > That presumes the client implementations set the SNI field (I see
> > that it does send a "Host" header, and it looks like MIT Kerberos
> > does set the SNI hostname).
>
> This is what I have in mind looking at the documentation of kkdcp (reading as exchanging here). Using SNI to select the KDC.
>
> I will give it a try, it looks like the option I need here.
>
> And yes, all of those complexities would have been avoided by network
> teams just supporting IPv6 and not blocking random ports for no reasons... ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mail/
> man.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=05%7C02%7Cbrent.kimbe
> rley%40durham.ca%7Cde3f8941d2b64fc0ec6f08dc439ee352%7C52d7c9c2d54941b6
> 9b1f9da198dc3f16%7C0%7C0%7C638459596905112923%7CUnknown%7CTWFpbGZsb3d8
> eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0
> %7C%7C%7C&sdata=dZYepxHAXNhDO%2F4F%2FpLx7fDYgT6xEYGEKtjEK7l1H74%3D&res
> erved=0
--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
More information about the Kerberos
mailing list