Proxy for Kerberos?

Cesar Garcia Cesar.Garcia at
Fri Jul 28 21:18:45 EDT 2006

>>>>> "Derek Atkins" == Derek Atkins <warlord at MIT.EDU> writes:
> Quoting Jiva DeVoe <jiva at>:
> > Tell me if this is inherently wrong-thinking...
> >
> > I want to access a kerberos server that is behind a firewall without
> > exposing the kerberos port to the internet.  So I want to proxy it
> > through a tunnel.  I am guessing that Kerberos may have some sort of
> > built-in preventative measures within itself to prevent spoofing or
> > something like that which would cause this not to work.  Is this
> > true?   If not, is there any reason this wouldn't work?
> Why don't you want to expose the kerberos port to the internet at large?
> Kerberos is a security service.  It's MEANT to be on the internet at
> large!

I personally would not recommend exposing a KDC to the internet if:

* it and/or the applications it protects is of sufficiently high value

* your KDC is willing to vend krb4 tickets or your KDC does not
  require pre-authentication

* you have allowed users to choose weak passwords

* you don't trust or understand the KDC code you are running

The other obvious one would be:

* there simply is no need

Some KDCs are configured to enforce account lockouts on successive
AS_REQ failures. Exposing your KDC to the internet means you are
willing to let your users get DOSed via this mechanism by yet another
community of users (or bots, if there are any out there).

At the end of the day, it's a risk decision. And unless you have been
empowered to make such risk decisions (since it is not IT function per
se), you probably want to consult someone with the authority to make
such risk decisions.

More information about the krbdev mailing list