shuque at isc.upenn.edu
Sun Nov 22 21:38:04 EST 2009
On Thu, Nov 19, 2009 at 05:15:45PM -0800, Henry B. Hotz wrote:
> On Nov 18, 2009, at 9:03 AM, krbdev-request at mit.edu wrote:
> > I'm pleased to announce an IAKERB implementation for MIT Kerberos:
> > http://k5wiki.kerberos.org/wiki/Projects/IAKERB
> > IAKERB allows clients that cannot reach a KDC to proxy credentials
> > acquisition via a GSS exchange with a service. This should reduce the
> > dependence on protocols such as NTLM and Digest outside the firewall.
> I applaud the availability of a solution. I bemoan the widespread,
> naive use of firewalls that creates the problem in the first place.
It's not just firewalls. Another interesting use case for this
is network access authentication, eg. 802.1x/EAP, where clients
have to complete a link layer authentication (eg. via a wireless
access point and a RADIUS server) before they even have an IP
address. In such cases the RADIUS server would likely act as the
Of course this requires the IETF to finish developing a GSSAPI
method for EAP ...
More information about the krbdev