Proxy for Kerberos?

Henry B. Hotz hotz at
Tue Jul 25 11:30:21 EDT 2006

On Jul 25, 2006, at 4:05 AM, krbdev-request at wrote:

> Date: Mon, 24 Jul 2006 15:11:38 -0400
> From: Jiva DeVoe <jiva at>
> Subject: Proxy for Kerberos?
> To: krbdev at
> Message-ID: <01863C0C-FF9E-41FF-82B7-002F310308CC at>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
> Tell me if this is inherently wrong-thinking...
> I want to access a kerberos server that is behind a firewall without
> exposing the kerberos port to the internet.  So I want to proxy it
> through a tunnel.  I am guessing that Kerberos may have some sort of
> built-in preventative measures within itself to prevent spoofing or
> something like that which would cause this not to work.  Is this
> true?   If not, is there any reason this wouldn't work?

I think you're asking for trouble trying to do this.

An argument I've made many times is that it's better to expose  
Kerberos itself than the service for a proprietary (unreviewed) VPN/ 
tunneling product.  The Kerberos protocol has gotten lots of review  
over the years.

The only way a tunnel might be better is if it uses e.g. a smart card  
instead of a password to authenticate users.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list