[36627] in Kerberos
Re: PPTP / L2TP with Kerberos -- what specs does it follow?
daemon@ATHENA.MIT.EDU (Frank Cusack)
Fri Nov 28 18:00:26 2014
MIME-Version: 1.0
In-Reply-To: <4559C81B-27E5-4B0B-825E-5460ADE98B86@openfortress.nl>
Date: Fri, 28 Nov 2014 01:42:15 -0800
Message-ID: <CAAyYNQjpOn5hwPp-UO-d0V++vG1C+ehcKk=q56VrJFBOsCy2pA@mail.gmail.com>
From: Frank Cusack <frank@linetwo.net>
To: Rick van Rein <rick@openfortress.nl>
Cc: Hugh Cole-Baker <sigmaris@gmail.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Fri, Nov 28, 2014 at 1:15 AM, Rick van Rein <rick@openfortress.nl> wrote:
> Hey,
>
> > There were numerous advantages to this approach for our environment,
> however we never deployed it. I should have written a brief paper at the
> time.
>
> You still may ;-)
>
> It would require a new SRV record, and it would confuse Kerberos clients,
> I suspect. But it’s an interesting angle.
>
IIRC, we were going to remove the traditional AS altogether. So a standard
client would need a TGT to start with (retrieved from the TGS, I don't
recall if this was a special case or just treated as an ordinary ticket)
and would only have to or be able to interact with the TGS.
Now I remember the primary advantage -- more extensibility and choices
(even dynamic) of initial authentication methods. But this also led to
follow-on advantages.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
