[36651] in Kerberos
RE: Kerberos outside the firewall
daemon@ATHENA.MIT.EDU (Nordgren, Bryce L -FS)
Mon Dec 1 22:25:53 2014
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: Russ Allbery <eagle@eyrie.org>
Date: Tue, 2 Dec 2014 03:25:36 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E75CC98@001FSN2MPN1-044.001f.mgd2.msft.net>
In-Reply-To: <877fyalxp6.fsf@hope.eyrie.org>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> But desktop/workstation logins and fileservers are generally *also* not
> allowed outside of a VPN, so I don't understand what you're gaining.
There simply is no one VPN to cover all the actors.
I am not speaking hypothetically or "generally". The meat and potatoes of this research organization is to collaborate with external users who cannot access our VPN. To share Terabytes of data. And process it. With something that's not a website. The absolute number one obstacle to getting work done is exactly the sentiment you just expressed. I would also be willing to bet that the lack of Kerberos IDs outside the firewall is due to this sentiment running rampant. If there's nothing to be gained by exposing the KDC, why do it? It's not necessarily a lack of education, it could merely be due to the belief that the primary consumers of Kerberos IDs are things which are not allowed outside of their VPN. That is a self-fulfilling prophecy which affords no opportunity for correction.
Hence, issuing a TGT to an ID which _is_ exposed.
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
