[6121] in Kerberos
Re: kerberos verifier proxies
daemon@ATHENA.MIT.EDU (Gene Hilborn)
Fri Nov 3 13:22:13 1995
To: kerberos@MIT.EDU
Date: 3 Nov 1995 17:29:12 GMT
From: Gene Hilborn <ghilborn@csc.com>
hartmans@MIT.EDU (Sam Hartman) wrote:
>>>>>> "Gene" == Gene Hilborn <ghilborn@csc.com> writes:
>
> Gene> Does anyone know of an existing product that provides
> Gene> Kerberos proxy services in a firewall to a protected enclave
> Gene> of non-Kerberos servers. The proxy authenticates external
> Gene> Kerberos clients, encrypts and decrypts their data, and
> Gene> relays it in the clear to/from non-Kerberos servers inside
> Gene> the firewall.
>
>
>
> This sounds rather silly to me unless you don't have source
>code to your servers. What I would rather see, were I the system
>administrator, would be two versions of the server, one that takes a
>password in the clear, and one that takes Kerberos tickets--much like
>already exists for POP. You then firewall the non-Kerberos server.
>
>
> Note, not all Kerberos servers protect against all common
>attacks. You should know your servers and their weaknesses before
>developing a security plan.
>
>--Sam
>
The intent of my "verivier" [typo for "verifier"] question was to find
out about if anyone knows a Kerberos verifier proxy product to run in a
firewall architecture with the desired functionality - not to look for
alternative architectures.
Again, does anyone know of such a product?
-GH
