[24123] in Kerberos
Re: Offline password attacks on AS-REQ
daemon@ATHENA.MIT.EDU (davido@optimation.com.au)
Tue Jun 21 15:22:35 2005
Message-Id: <9740942.1119347136448.JavaMail.root@optim1>
From: davido@optimation.com.au
Date: Tue, 21 Jun 2005 19:45:29 +1000
To: brian.joh@comcast.net
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
MIME-Version: 1.0
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Brian, the earlier suggestion to use IPsec to your servers sounds
like an elegant approach, but sounds like you may have rather
too many client machines to make this practical.
As a much simpler alternative, and one that is SSL based (and hence
X.509 cert public key encryption based for easy deployment), you
could use openVPN. openVPN works well, and easily, on Windows and
lots of Unixes.
You wouldn't need to make any code changes - just some network config.
Our experiences with openVPN are very positive.
I guess we Kerberos fans would prefer to see an integrated Kerberos
solution (SSL sessions, without client authentication, for otherwise
normal Kerberos transactions perhaps ? We use that approach in a custom
banking application, but the code isn't general I'm afraid). But as
you said you can't change your KDC servers.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
