[39398] in Kerberos
Looking for a "Kerberos Router"?
daemon@ATHENA.MIT.EDU (Jonas via Kerberos)
Wed Mar 20 09:15:14 2024
Date: Wed, 20 Mar 2024 13:13:27 +0000
To: "kerberos@mit.edu" <kerberos@mit.edu>
Message-ID: <Q9tuM1iydPxquBNHTDuxYmzM4dD69K4ZTn5u1hfIbqDaqiCXnIXp1grUf3nCB_gSBX_vrsao0uPqNt417afv1I8vTqiskme0B1JKgOWOcJI=@protonmail.com>
MIME-Version: 1.0
From: Jonas via Kerberos <kerberos@mit.edu>
Reply-To: Jonas <jonas.repo@protonmail.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Thank you, I will put this on test.
This is well tested:
https://github.com/latchset/kdcproxy
On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote:
>
>
> Le 13 mars 2024 à 17:21, Ken Hornstein a écrit :
>
>
>
> It does occur to me that maybe if you have different KDC hostnames but
>
> the same IP address you could use TLS SNI or hostname routing which
>
> you indicated you already use and maybe that would be simpler? That
>
> presumes the client implementations set the SNI field (I see that it
>
> does send a "Host" header, and it looks like MIT Kerberos does set the
>
> SNI hostname).
>
>
This is what I have in mind looking at the documentation of kkdcp (reading as exchanging here). Using SNI to select the KDC.
>
>
I will give it a try, it looks like the option I need here.
>
>
And yes, all of those complexities would have been avoided by network teams just supporting IPv6 and not blocking random ports for no reasons…
>>>
One thing that leaps out at me is that by default a lot of Kerberos
>>>
messages default to UDP transport so that might be a bit trickier to
>>>
proxy them (but not impossible).
https://www.vpnpalvelut.com/
>>
Yes, that's another aspect of the issue, our expectations so far are on
>>
support for TCP only clients. Since it's for mobile users that we are
>>
looking to have this support, it shouldn't be an issue.
>
>
I would caution you that I think that is something you're going to have
>
to grapple with much sooner than you think.
>
>
A long time ago we had developed a small Kerberos proxy that forwarded
>
on Kerberos messages by prepending the source IP address/port to the
>
UDP message (our KDC at the time was modified to recognize this
>
and sent the prepended bytes back to the proxy so it could send it to
>
the correct originator).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos