[6069] in Kerberos
Re: kerberos verivier proxies
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Oct 30 19:12:45 1995
To: Gene Hilborn <ghilborn@csc.com>
Cc: kerberos@MIT.EDU
In-Reply-To: Your message of "30 Oct 1995 15:18:02 GMT."
<472qba$pqd@post.gsfc.nasa.gov>
Date: Mon, 30 Oct 1995 18:55:22 EST
From: Sam Hartman <hartmans@MIT.EDU>
>>>>> "Gene" == Gene Hilborn <ghilborn@csc.com> writes:
Gene> Does anyone know of an existing product that provides
Gene> Kerberos proxy services in a firewall to a protected enclave
Gene> of non-Kerberos servers. The proxy authenticates external
Gene> Kerberos clients, encrypts and decrypts their data, and
Gene> relays it in the clear to/from non-Kerberos servers inside
Gene> the firewall.
This sounds rather silly to me unless you don't have source
code to your servers. What I would rather see, were I the system
administrator, would be two versions of the server, one that takes a
password in the clear, and one that takes Kerberos tickets--much like
already exists for POP. You then firewall the non-Kerberos server.
Note, not all Kerberos servers protect against all common
attacks. You should know your servers and their weaknesses before
developing a security plan.
--Sam
