[2354] in Kerberos_V5_Development
Re: kerberos through the firewall
daemon@ATHENA.MIT.EDU (Doug MacEachern)
Sat Apr 19 10:18:31 1997
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "Sat, 19 Apr 1997 00:32:57 EDT."
<199704190432.AAA13587@ginger.cmf.nrl.navy.mil>
Date: Sat, 19 Apr 1997 10:15:13 -0400
From: Doug MacEachern <dougm@opengroup.org>
Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
> >As you know, this is a problem area for many organizations for various
> >reasons. We've implemented a simple and flexible solution, which
> >requires (minimal) changes to the kerberos libraries. I've included
> >some brief design and implementation notes below for comment. If
> >anyone is interested in trying the patches against krb5-1.0 or
> >krb5-nt-alpha2 and the "krb5gw" program, let me know.
>
> One point:
>
> While I'm all for modifying the client programs to improve
> functionality, I have a real problem with modify the actual _protocol_
> itself, since that is the one thing that's constant across all
> Kerberos implementations. For example, how do I change my cisco
> router to use this new protocol? (It's not like Kerberos actually
> _works_ on a cisco, but it might someday :-) ).
The modifications to the kerberos implentation only adds a couple of
hooks to plugin new transport methods, the default remains as it
always has been, UDP 88. The protocol itself has not been changed.
>
> Speaking as someone who used to administrate a firewall (but I'll
> certainly admit it wasn't the best :-) ) .... is there really a
> problem with opening up UDP port 88?
Example: for one vendor we are collaborating with, it would take 2-3
months to have such a change approved and executed (yes, it's true!).
As you said, it's not much of a problem for the the firewall
administrator. However, it is a problem for the common user who
doesn't know what Kerberos is or how to "poke a hole in the firewall"
and shouldn't have to know. The idea is, users at any level, in any
organization, can simply install a kerberized client and it should
"just work".
-Doug
>
> --Ken
>
