[2359] in Kerberos_V5_Development
Re: kerberos through the firewall
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Sun Apr 20 02:12:46 1997
To: Ken Raeburn <raeburn@cygnus.com>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "19 Apr 1997 15:20:42 EDT."
<tx1bu7azunp.fsf@cygnus.com>
Date: Sun, 20 Apr 1997 02:12:12 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>Is there any information that needs to be provided that isn't in the
>clear in the krb5 protocol? I don't have the protocol spec in front
>of me. Could you set up a proxy inside the firewall, have normal krb5
>messages go to it, and let it worry about how to get outside the
>firewall (whether by http or by some other means) and what host or
>hosts to send to on the outside? I think that'd be a much simpler
>solution from the krb5 library side of it, if it works. Then the
>library has no need for the http wrapper or base64 encoding stuff;
>only one pair of applications does.
The real problem is that you need to add an extra IP address in
the ticket (the IP address of the proxy server), since the KDC will
probably send the reply back to the proxy server. Either that, or
you need to specify _no_ IP addresses in the ticket. This means
that you're still outta luck if you don't have the source to your
Kerberos implementation.
--Ken
