On 9/28/21 2:31 PM, Charles Hedrick wrote:
If all the proxy is doing is forwarding content, it might work. But
in that case it’s not obvious how much security we’re gaining
by the proxy. It may be that just enabling access directly to port
88 would be as good. (I control the network, mostly.) A
On Wed, 2021-09-29 at 13:41 -0600, Grant Taylor wrote:
> On 9/28/21 2:31 PM, Charles Hedrick wrote:
> > If all the proxy is doing is forwarding content, it might work. But
> > in that case it’s not obvious how much security we’re gaining
> > by the proxy. It may be that just enabling access direc
>If all the proxy is doing is forwarding content, it might work. But in
>that case it’s not obvious how much security we’re gaining by the
>proxy. It may be that just enabling access directly to port 88 would be
>as good. (I control the network, mostly.) Any sense how risky it is to
>expose port 88
If all the proxy is doing is forwarding content, it might work. But in that
case it’s not obvious how much security we’re gaining by the proxy. It may be
that just enabling access directly to port 88 would be as good. (I control the
network, mostly.) Any sense how risky it is to expose port 88 t
On 9/12/21 5:49 AM, Jeffrey Altman wrote:
The answer is "yes", but someone would need to development the
implementation and submit a pull request.
Here's a silly thought.
What about using something like socat to listen on local port 88 and
have it use the upstream proxy via CONNECT requests (
>The hope is that the proxy will read requests and validate them. Thus
>passing through the proxy would be less dangerous that exposing port 88
>directly. If that’s not true, we should consider the risks of making
>port 88 available, or give up.
I'm curious as to exactly what validation for reque
On Sun, Sep 12, 2021 at 07:49:57AM -0400, Jeffrey Altman wrote:
> On 9/11/2021 11:22 AM, Charles Hedrick (hedr...@rutgers.edu) wrote:
> > We don’t currently explore our Kerberos servers to the Internet, but we do
> > have an https proxy for MIT kerberos. Heimal apparently has its own HTTP
> > pro
On 9/11/2021 11:22 AM, Charles Hedrick (hedr...@rutgers.edu) wrote:
> I’d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac
> uses Heimdal.
One premise of this thread is that Apple uses Heimdal as developed at
https://www.heimdal.software/ aka https://github.com/heimdal/
On 9/11/21 7:35 PM, Charles Hedrick wrote:
The hope is that the proxy will read requests and validate them. Thus
passing through the proxy would be less dangerous that exposing port
88 directly. If that’s not true, we should consider the risks of
making port 88 available, or give up.
I would
>Another use case is getting tickets for Mac users. We have a few users
>that ssh into enough different hosts that they want to use kerberized
>ssh. Unless we open port 88 to the outside, they have to install Mac
>ports and use the MIT kinit.
So they can't open port 88 to the outside, but port 88-
The hope is that the proxy will read requests and validate them. Thus passing
through the proxy would be less dangerous that exposing port 88 directly. If
that’s not true, we should consider the risks of making port 88 available, or
give up.
> On Sep 11, 2021, at 7:07 PM, Ken Hornstein wrote:
Another use case is getting tickets for Mac users. We have a few users that ssh
into enough different hosts that they want to use kerberized ssh. Unless we
open port 88 to the outside, they have to install Mac ports and use the MIT
kinit. While it seems simple to me, it’s not for real users. If
My use case is a few web applications. Linux user group management, editing our
wiki, and responding to help desk tickets. Generic web apps that I would like
to use at home. We support CAS, but our university CAS server has disabled SSO.
Since I already have a Kerberos ticket to use ssh, it woul
At home I’m outside our firewall. We have an https proxy that works fine for
MIT implementations, but not heimdal. Heimdal has an http proxy configuration
available in krb5.conf, but that’s useless without an actual proxy server. I’m
looking for an implementation of the proxy. I also don’t see a
On Sat, Sep 11, 2021 at 03:22:26PM +, Charles Hedrick wrote:
>
> I’d like to be able to use Kerberos SPNEGO at home. Unfortunately
> the Mac uses Heimdal.
>
> We don’t currently explore our Kerberos servers to the Internet,
> but we do have an https proxy for MIT kerberos. Heimal apparently h
Hello Charles,
> I???d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac
> uses Heimdal.
SPNEGO has really a low security level. I am surprised this is considered
acceptable for a https proxy.
We are working on two better solutions, with software that classifies only
littl
16 matches
Mail list logo