Shumon Huque shuque at isc.upenn.edu
Sun Nov 22 21:38:04 EST 2009

On Thu, Nov 19, 2009 at 05:15:45PM -0800, Henry B. Hotz wrote:
> On Nov 18, 2009, at 9:03 AM, krbdev-request at mit.edu wrote:
> > I'm pleased to announce an IAKERB implementation for MIT Kerberos:
> > 
> > 	http://k5wiki.kerberos.org/wiki/Projects/IAKERB
> > 
> > IAKERB allows clients that cannot reach a KDC to proxy credentials  
> > acquisition via a GSS exchange with a service. This should reduce the  
> > dependence on protocols such as NTLM and Digest outside the firewall.

> I applaud the availability of a solution.  I bemoan the widespread,
> naive use of firewalls that creates the problem in the first place.
> *sigh*

It's not just firewalls. Another interesting use case for this
is network access authentication, eg. 802.1x/EAP, where clients
have to complete a link layer authentication (eg. via a wireless
access point and a RADIUS server) before they even have an IP
address. In such cases the RADIUS server would likely act as the 
IAKERB proxy.

Of course this requires the IETF to finish developing a GSSAPI
method for EAP ...


More information about the krbdev mailing list