[2358] in Kerberos_V5_Development
Re: kerberos through the firewall
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Sun Apr 20 02:06:41 1997
To: Doug MacEachern <dougm@opengroup.org>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "Sat, 19 Apr 1997 10:15:13 EDT."
<199704191415.KAA16035@postman.osf.org>
Date: Sun, 20 Apr 1997 02:06:05 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>The modifications to the kerberos implentation only adds a couple of
>hooks to plugin new transport methods, the default remains as it
>always has been, UDP 88. The protocol itself has not been changed.
Okay, perhaps I didn't make myself clear:
How can I get this to work on systems that I don't have the source for?
(i.e. - our cisco router).
>Example: for one vendor we are collaborating with, it would take 2-3
>months to have such a change approved and executed (yes, it's true!).
As other people have said: it boggles my mind that a site could be that
paranoid and yet let HTTP through. I have no doubt that such places
exist, though, and I've personally dealt with my share of incompetent
firewall administrators in my day. At least I was able to explain
Kerberos enough to them that we got the right holes poked into the
firewall so Kerberos would work.
(Amusing firewall ancedote: I got asked for the source to kinit so one
site "could modify it so it worked with our firewall". I pointed them
to the MIT ftp server and said, "Have fun". Haven't heard back from
them yet :-) ).
I'm sorry, but I think this is a horrible idea (especially when applied
to Kerberos only - a generic "IP over HTTP" is horrible too, but at
least it's more general). The only thing that your proposal solves are
social issues, not technical ones.
>As you said, it's not much of a problem for the the firewall
>administrator. However, it is a problem for the common user who
>doesn't know what Kerberos is or how to "poke a hole in the firewall"
>and shouldn't have to know. The idea is, users at any level, in any
>organization, can simply install a kerberized client and it should
>"just work".
Well, certainly the common user has to know _something_ about Kerberos;
otherwise they'll get a nasty surprise when their tickets expire.
But if I was a firewall administrator, I'd be rather upset to discover
that someone was using HTTP-encapsulated-data to circumvent our firewall.
--Ken
