[36630] in Kerberos
Re: PPTP / L2TP with Kerberos -- what specs does it follow?
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Sat Nov 29 15:48:52 2014
Date: Sat, 29 Nov 2014 15:48:43 -0500 (EST)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Frank Cusack <frank@linetwo.net>
In-Reply-To: <CAAyYNQjfsKNxCDp-TFdHAwJsL4MKKE5YUR_C8N0z_w386tofjA@mail.gmail.com>
Message-ID: <alpine.GSO.1.10.1411291546030.23489@multics.mit.edu>
MIME-Version: 1.0
Cc: Hugh Cole-Baker <sigmaris@gmail.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Sorry to focus in on just a single offhand remark, but ...
On Fri, 28 Nov 2014, Frank Cusack wrote:
> implemented/supported/documented. It would require the KDC to be out in
> the open (to get the ticket used for the VPN auth) and most folks aren't
> going to do that.
... can you say more about *why* most folks aren't going to do that?
We have our KDC open to the public here at MIT, and the Kerberos protocol
is explicitly designed to be usable over public (untrusted) networks.
Now, if users are using weak passwords, this can cause problems, but there
are technologies to work around those as well, such as FAST tunnels or an
https proxy, or even passwordless authentication such as via PKINIT.
We would really like to understand better (and hopefully counter) this
idea that KDCs should not be exposed to the public internet.
Thanks,
Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
