[39369] in Kerberos
Re: Looking for a "Kerberos Router"?
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Wed Mar 13 10:16:42 2024
Message-Id: <202403131416.42DEGRub016309@hedwig.cmf.nrl.navy.mil>
To: Yoann Gini <yoann.gini@gmail.com>
cc: kerberos@mit.edu
In-Reply-To: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
MIME-Version: 1.0
Date: Wed, 13 Mar 2024 10:16:27 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>Here with Kerberos, I'm wondering how we can achieve something
>equivalent, using a shared IP for multiple Kerberos realms and having
>the incoming requests routed to the appropriate backend by some kind of
>inspection.
I think that is certainly _possible_, but I don't believe there is
anything that does that today. You'd have to parse the Kerberos message
(which is ASN.1 and there are plenty of things that can handle that)
and extract out the realm of the server principal and route the message
appropriately. One thing that leaps out at me is that by default a lot
of Kerberos messages default to UDP transport so that might be a bit
trickier to proxy them (but not impossible).
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
