On 9/28/21 2:31 PM, Charles Hedrick wrote:
If all the proxy is doing is forwarding content, it might work. But in that case it’s not obvious how much security we’re gaining by the proxy. It may be that just enabling access directly to port 88 would be as good. (I control the network, mostly.) Any sense how risky it is to expose port 88 to the internet?
I was assuming that the proxy would have it's own authentication requirements. Thus the proxy would act somewhat like a bouncer in front of the KDC.
Somewhat like putting the KDC behind a VPN or SPI w/ port knocking. -- Allow people that have some modicum of knowledge access to the KDC while preventing any Joe Random on the Internet from accessing the KDC.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
