Looking for a "Kerberos Router"?

[Jonas]

Thank you, I will put this on test.

This is well tested:
https://github.com/latchset/kdcproxy
On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote:
>

>

> Le 13 mars 2024 à 17:21, Ken Hornstein  a écrit :

>

>

>

> It does occur to me that maybe if you have different KDC hostnames but

>

> the same IP address you could use TLS SNI or hostname routing which

>

> you indicated you already use and maybe that would be simpler?  That

>

> presumes the client implementations set the SNI field (I see that it

>

> does send a "Host" header, and it looks like MIT Kerberos does set the

>

> SNI hostname).

>

>

This is what I have in mind looking at the documentation of kkdcp (reading as exchanging here). Using SNI to select the KDC.

>

>

I will give it a try, it looks like the option I need here.

>

>

And yes, all of those complexities would have been avoided by network teams just supporting IPv6 and not blocking random ports for no reasons…

>>>

One thing that leaps out at me is that by default a lot of Kerberos

>>>

messages default to UDP transport so that might be a bit trickier to

>>>

proxy them (but not impossible).
https://www.vpnpalvelut.com/
>>

Yes, that's another aspect of the issue, our expectations so far are on

>>

support for TCP only clients. Since it's for mobile users that we are

>>

looking to have this support, it shouldn't be an issue.

>

>

I would caution you that I think that is something you're going to have

>

to grapple with much sooner than you think.

>

>

A long time ago we had developed a small Kerberos proxy that forwarded

>

on Kerberos messages by prepending the source IP address/port to the

>

UDP message (our KDC at the time was modified to recognize this

>

and sent the prepended bytes back to the proxy so it could send it to

>

the correct originator).