Proxy for Kerberos?

Derek Atkins warlord at MIT.EDU
Sun Jul 30 20:18:43 EDT 2006

Cesar Garcia <Cesar.Garcia at> writes:

> At the end of the day, it's a risk decision. And unless you have been
> empowered to make such risk decisions (since it is not IT function per
> se), you probably want to consult someone with the authority to make
> such risk decisions.

And hopefully the person you ask actually has the background
to make an informed decision as opposed to a fearful, automatic
response of "no".  You are absolutely correct that it does depend
on what you're protecting.  But then again unless you're using
Kerberos to protect million-dollar transactions (and I wouldn't
recommend that, either, regardless of how you protect Kerberos)
there are very few use-scenarios where hiding Kerberos behind a
firewall does anything but reduce functionality for your users.

Since the original question was about "proxying" Kerberos, that would
imply that Jiva is interested in providing Kerberos Authentication to
users outside the firewall (which IMHO is a GOOD THING).  Based on
that desire, there's very little reason not to allow port-88 to the
outside world.


       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL:    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the krbdev mailing list