Proxy for Kerberos?
Henry B. Hotz
hotz at jpl.nasa.gov
Tue Jul 25 11:30:21 EDT 2006
On Jul 25, 2006, at 4:05 AM, krbdev-request at mit.edu wrote:
> Date: Mon, 24 Jul 2006 15:11:38 -0400
> From: Jiva DeVoe <jiva at devoesquared.com>
> Subject: Proxy for Kerberos?
> To: krbdev at mit.edu
> Message-ID: <01863C0C-FF9E-41FF-82B7-002F310308CC at devoesquared.com>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>
> Tell me if this is inherently wrong-thinking...
>
> I want to access a kerberos server that is behind a firewall without
> exposing the kerberos port to the internet. So I want to proxy it
> through a tunnel. I am guessing that Kerberos may have some sort of
> built-in preventative measures within itself to prevent spoofing or
> something like that which would cause this not to work. Is this
> true? If not, is there any reason this wouldn't work?
I think you're asking for trouble trying to do this.
An argument I've made many times is that it's better to expose
Kerberos itself than the service for a proprietary (unreviewed) VPN/
tunneling product. The Kerberos protocol has gotten lots of review
over the years.
The only way a tunnel might be better is if it uses e.g. a smart card
instead of a password to authenticate users.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list