[36622] in Kerberos
Re: PPTP / L2TP with Kerberos -- what specs does it follow?
daemon@ATHENA.MIT.EDU (Rick van Rein)
Fri Nov 28 03:54:52 2014
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <CAAyYNQjfsKNxCDp-TFdHAwJsL4MKKE5YUR_C8N0z_w386tofjA@mail.gmail.com>
Date: Fri, 28 Nov 2014 09:54:41 +0100
Message-Id: <5F9F8803-B571-4A86-8DF2-FF9854C75F84@openfortress.nl>
To: Frank Cusack <frank@linetwo.net>
Cc: Hugh Cole-Baker <sigmaris@gmail.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Frank,
> I didn't read the document, but from the name of it the EAP-GSS method I noted earlier would be a true Kerberos authentication -- the client has to pass on a kerberos token, not a password. It sounded like that's what you were going after.
Yes, it is, ideally.
> I'm wouldn't be surprised if this isn't well implemented/supported/documented. It would require the KDC to be out in the open (to get the ticket used for the VPN auth) and most folks aren't going to do that.
Interesting observation. When we go cross-realm, we’ll have to open our KDCs to the public… at least the TGS part, but that’s undistinguishable from the AS part (same SRV record)…
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
