A generic kerberizing project

Pete Martin krbdev at pnmartin.fsnet.co.uk
Fri May 11 06:46:53 EDT 2007 

Hi all,

I'm currently developing a Kerberos-centric project which may be of
interest to members of this list.

The aim is to provide an easy to use mechanism for kerberizing
client/server connections for network services which would otherwise not
support Kerberos.

The reason for this post: I am interested in gauging interest (and in
any feedback at all). If you have a spare moment and wouldn't mind
answering a very brief list of questions (anonymously), I would be
extremely grateful! Apologies if this is a misuse of the list.

The questionnaire is here: http://petemart.in/krb-q/

There are only ten questions and any responses would be hugely
appreciated. Since others may be interested in the results, I will
happily provide them on request. Further details of the project are
below.

Many thanks,

Pete Martin

--
The final product will likely consist of a small, low-cost hardware box,
running embedded Linux and incorporating an ethernet switch. It will run
a webserver to allow configuration.

The box will wrap outgoing client connections or incoming server
connections to allow access to services to be based on Kerberos
authentication. Additionally, it will provide a secure tunnel for
network traffic. While Kerberised clients and servers exist for many
popular services (e.g. the Debian package krb5-clients), many services
do not have kerberized versions. The hope is that a product such as this
will allow a more unified approach to authentication.

A further feature the box will provide is authentication over closed
ports. To an attacker using port-scanning software such as nmap
(http://insecure.org/nmap), a server behind this box will not appear to
be offering any network services. An encrypted, replay-resistant signal
(sent via a sequence of connections to a range of closed ports) is
required at the server end before a connection from an authenticating
user is allowed (on a one-time basis). 

While a hardware solution is preferable for platform independence, I
will also be producing Linux-based software packages performing the same
functions. If you have any questions (or criticism) regarding the above,
please feel free to email! Many thanks.

More information about the krbdev mailing list