[2353] in Kerberos_V5_Development
Re: kerberos through the firewall
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Sat Apr 19 00:51:55 1997
To: Doug MacEachern <dougm@opengroup.org>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "Fri, 18 Apr 1997 16:36:43 EDT."
<199704182036.QAA32459@postman.osf.org>
Date: Sat, 19 Apr 1997 00:32:57 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>As you know, this is a problem area for many organizations for various
>reasons. We've implemented a simple and flexible solution, which
>requires (minimal) changes to the kerberos libraries. I've included
>some brief design and implementation notes below for comment. If
>anyone is interested in trying the patches against krb5-1.0 or
>krb5-nt-alpha2 and the "krb5gw" program, let me know.
One point:
While I'm all for modifying the client programs to improve
functionality, I have a real problem with modify the actual _protocol_
itself, since that is the one thing that's constant across all
Kerberos implementations. For example, how do I change my cisco
router to use this new protocol? (It's not like Kerberos actually
_works_ on a cisco, but it might someday :-) ).
Speaking as someone who used to administrate a firewall (but I'll
certainly admit it wasn't the best :-) ) .... is there really a
problem with opening up UDP port 88?
--Ken
