Re: Looking for a "Kerberos Router"?

The site philosophy can be expressed as fail open / fail closed /fail safe / fail deadly... From: Brent Kimberley Sent: Wednesday, March 13, 2024 5:41:58 PM To: Simo Sorce ; Yoann Gini ; Ken Hornstein Cc: kerberos@mit.edu Subject: RE: Looking for a "Kerberos Rou

RE: Looking for a "Kerberos Router"?

To the best of my knowledge, all IPV6 ports should be closed by design and only opened if/when approved. -Original Message- From: Kerberos On Behalf Of Simo Sorce Sent: Wednesday, March 13, 2024 4:48 PM To: Yoann Gini ; Ken Hornstein Cc: kerberos@mit.edu Subject: Re: Looking for a "Kerb

Re: Looking for a "Kerberos Router"?

This is well tested: https://github.com/latchset/kdcproxy On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote: > > > Le 13 mars 2024 à 17:21, Ken Hornstein a écrit : > > > > It does occur to me that maybe if you have different KDC hostnames but > > the same IP address you could use TLS SNI or

Re: Looking for a "Kerberos Router"?

See RFC 4559 and related  MS support keep via https Quest Vintela and others field kit that supports this IBM and SiteMider have guidance and support On Wednesday, March 13, 2024, 9:56 AM, Brent Kimberley via Kerberos wrote: [MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protoco h

Stateless PKINIT?

Hello, I'm trying to achieve a deployment of Kerberos and PKINIT as some sort of authentication proxy. I'm working for an IDP startup. Is there a way when using PKINIT to not need any internal list of principals but to rely on the validity of the certificate to proxy the certificate identity i

RE: Looking for a "Kerberos Router"?

[MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protoco https learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp/5bcebb8d-b747-4ee5-9453-428aec1c5c38?source=recommendations 1 Introduction The Kerberos Key Distribution Center (KDC) Proxy Protocol (KKDCP) is used by an HTTP-ba

Re: Looking for a "Kerberos Router"?

> Le 13 mars 2024 à 17:21, Ken Hornstein a écrit : > > It does occur to me that maybe if you have different KDC hostnames but > the same IP address you could use TLS SNI or hostname routing which > you indicated you already use and maybe that would be simpler? That > presumes the client implem

Re: Looking for a "Kerberos Router"?

>Looking at Apple documentation I see the support for something I had >never heard of: Kerberos Key Distribution Center Proxy. > >Looks like a solution to encapsulate Kerberos requests into an HTTPS. > >Any experience on this here? I personally have not used that, but I know that MIT Kerberos supp

Re: Looking for a "Kerberos Router"?

Looking at Apple documentation I see the support for something I had never heard of: Kerberos Key Distribution Center Proxy. Looks like a solution to encapsulate Kerberos requests into an HTTPS. Any experience on this here? Kerberos mailing list

Re: Looking for a "Kerberos Router"?

>> A long time ago we had developed a small Kerberos proxy that forwarded >> on Kerberos messages by prepending the source IP address/port to the >> UDP message (our KDC at the time was modified to recognize this and >> sent the prepended bytes back to the proxy so it could send it to the >> correc

Re: Looking for a "Kerberos Router"?

> Le 13 mars 2024 à 15:52, Ken Hornstein a écrit : > >>> One thing that leaps out at me is that by default a lot of Kerberos >>> messages default to UDP transport so that might be a bit trickier to >>> proxy them (but not impossible). >> >> Yes, that's another aspect of the issue, our expectat

Re: Looking for a "Kerberos Router"?

> Le 13 mars 2024 à 15:44, Marco Rebhan a écrit : > >> On 13. Mar 2024, at 12:48, Yoann Gini > > wrote: >> >> Which allow us to have end to end TLS communication between our customers >> and their tenant. Which is mandatory for our mTLS. But without consuming one

Re: Looking for a "Kerberos Router"?

>> One thing that leaps out at me is that by default a lot of Kerberos >> messages default to UDP transport so that might be a bit trickier to >> proxy them (but not impossible). > >Yes, that's another aspect of the issue, our expectations so far are on >support for TCP only clients. Since it's for

Re: Looking for a "Kerberos Router"?

> On 13. Mar 2024, at 12:48, Yoann Gini wrote: > > Which allow us to have end to end TLS communication between our customers and > their tenant. Which is mandatory for our mTLS. But without consuming one > public IP per tenant to keep cost under control. > > Here with Kerberos, I'm wondering h

Re: Looking for a "Kerberos Router"?

Hello, > Le 13 mars 2024 à 15:16, Ken Hornstein a écrit : > >> Here with Kerberos, I'm wondering how we can achieve something >> equivalent, using a shared IP for multiple Kerberos realms and having >> the incoming requests routed to the appropriate backend by some kind of >> inspection. > > I

Re: Looking for a "Kerberos Router"?

>Here with Kerberos, I'm wondering how we can achieve something >equivalent, using a shared IP for multiple Kerberos realms and having >the incoming requests routed to the appropriate backend by some kind of >inspection. I think that is certainly _possible_, but I don't believe there is anything t

Looking for a "Kerberos Router"?

Hello, I'm looking for a way to "route" Kerberos requests incoming to a single IP to different backend depending on the requested realms. This issue I'm trying to solve is related to the scalability of automated deployment for new Kerberos realms on a cloud infrastructure. My company is an IDP