[39370] in Kerberos
Re: Looking for a "Kerberos Router"?
daemon@ATHENA.MIT.EDU (Yoann Gini)
Wed Mar 13 10:21:40 2024
From: Yoann Gini <yoann.gini@gmail.com>
Message-Id: <581276BD-9D29-4D8C-A23E-8613493E378B@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Date: Wed, 13 Mar 2024 15:21:20 +0100
In-Reply-To: <202403131416.42DEGRub016309@hedwig.cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello,
> Le 13 mars 2024 à 15:16, Ken Hornstein <kenh@cmf.nrl.navy.mil> a écrit :
>
>> Here with Kerberos, I'm wondering how we can achieve something
>> equivalent, using a shared IP for multiple Kerberos realms and having
>> the incoming requests routed to the appropriate backend by some kind of
>> inspection.
>
> I think that is certainly _possible_, but I don't believe there is
> anything that does that today. You'd have to parse the Kerberos message
> (which is ASN.1 and there are plenty of things that can handle that)
> and extract out the realm of the server principal and route the message
> appropriately.
Yes, that's the main option we see so far, but before jumping on the "let write our own proxy" solution I wanted to be sure that we don't miss something like proxy feature in an Kerberos implementation or some kind of cascading scenario.
> One thing that leaps out at me is that by default a lot
> of Kerberos messages default to UDP transport so that might be a bit
> trickier to proxy them (but not impossible).
Yes, that's another aspect of the issue, our expectations so far are on support for TCP only clients. Since it's for mobile users that we are looking to have this support, it shouldn't be an issue.
Thanks.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
