A generic kerberizing project
krbdev at pnmartin.fsnet.co.uk
Fri May 11 06:46:53 EDT 2007
I'm currently developing a Kerberos-centric project which may be of
interest to members of this list.
The aim is to provide an easy to use mechanism for kerberizing
client/server connections for network services which would otherwise not
The reason for this post: I am interested in gauging interest (and in
any feedback at all). If you have a spare moment and wouldn't mind
answering a very brief list of questions (anonymously), I would be
extremely grateful! Apologies if this is a misuse of the list.
The questionnaire is here: http://petemart.in/krb-q/
There are only ten questions and any responses would be hugely
appreciated. Since others may be interested in the results, I will
happily provide them on request. Further details of the project are
The final product will likely consist of a small, low-cost hardware box,
running embedded Linux and incorporating an ethernet switch. It will run
a webserver to allow configuration.
The box will wrap outgoing client connections or incoming server
connections to allow access to services to be based on Kerberos
authentication. Additionally, it will provide a secure tunnel for
network traffic. While Kerberised clients and servers exist for many
popular services (e.g. the Debian package krb5-clients), many services
do not have kerberized versions. The hope is that a product such as this
will allow a more unified approach to authentication.
A further feature the box will provide is authentication over closed
ports. To an attacker using port-scanning software such as nmap
(http://insecure.org/nmap), a server behind this box will not appear to
be offering any network services. An encrypted, replay-resistant signal
(sent via a sequence of connections to a range of closed ports) is
required at the server end before a connection from an authenticating
user is allowed (on a one-time basis).
While a hardware solution is preferable for platform independence, I
will also be producing Linux-based software packages performing the same
functions. If you have any questions (or criticism) regarding the above,
please feel free to email! Many thanks.
More information about the krbdev