[39378] in Kerberos
Re: Looking for a "Kerberos Router"?
daemon@ATHENA.MIT.EDU (Yoann Gini)
Wed Mar 13 12:32:26 2024
From: Yoann Gini <yoann.gini@gmail.com>
Message-Id: <08C219DB-7B64-48FD-A500-3A043BDED825@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Date: Wed, 13 Mar 2024 17:32:18 +0100
In-Reply-To: <202403131621.42DGLZEE017497@hedwig.cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
> Le 13 mars 2024 à 17:21, Ken Hornstein <kenh@cmf.nrl.navy.mil> a écrit :
>
> It does occur to me that maybe if you have different KDC hostnames but
> the same IP address you could use TLS SNI or hostname routing which
> you indicated you already use and maybe that would be simpler? That
> presumes the client implementations set the SNI field (I see that it
> does send a "Host" header, and it looks like MIT Kerberos does set the
> SNI hostname).
This is what I have in mind looking at the documentation of kkdcp (reading as exchanging here). Using SNI to select the KDC.
I will give it a try, it looks like the option I need here.
And yes, all of those complexities would have been avoided by network teams just supporting IPv6 and not blocking random ports for no reasons…
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
