[2355] in Kerberos_V5_Development
Re: kerberos through the firewall
daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Sat Apr 19 13:25:23 1997
Date: Sat, 19 Apr 1997 13:24:55 -0400 (EDT)
From: Jeffrey Hutzelman <jhutz+@cmu.edu>
Reply-To: Jeffrey Hutzelman <jhutz+@cmu.edu>
To: krbdev@MIT.EDU
In-Reply-To: <199704191415.KAA16035@postman.osf.org>
> Example: for one vendor we are collaborating with, it would take 2-3
> months to have such a change approved and executed (yes, it's true!).
You have a vendor that's that paranoid, but lets HTTP connections
through? That _is_ a little hard to believe...
> As you said, it's not much of a problem for the the firewall
> administrator. However, it is a problem for the common user who
> doesn't know what Kerberos is or how to "poke a hole in the firewall"
> and shouldn't have to know. The idea is, users at any level, in any
> organization, can simply install a kerberized client and it should
> "just work".
I'm sorry, but I have to disagree. The "common user" you speak of,
who doesn't know how to configure his/her firewall, shouldn't be
responsible for doing so. Sites that depend _that_ heavily on their
firewall for security...
1) Should have someone configuring it who knows what he's doing
2) Probably shouldn't be letting HTTP through
3) Should have their heads examined
OK; that last one's just my personal opinion. Even so, organizations
that use firewalls are making a conscious choice to severely restrict
the abilities of their users to communicate with the outside world,
in exchange for a perceived increase in security. Your proposal is
essentially to tunnel Kerberos inside HTTP (which was never designed
for that purpose) in order to circumvent that...
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
