Hi kerberos folks--
Could anyone point me to information about the security concerns
involved with opening a krb5 realm to the Internet (or any other
untrusted WAN)?
I've looked in several places, but could only find a couple of remarks
on this list from last year:
Daniel == Daniel Kahn Gillmor [EMAIL PROTECTED] writes:
Daniel Hi kerberos folks--
Daniel Could anyone point me to information about the security concerns
Daniel involved with opening a krb5 realm to the Internet (or any other
Daniel untrusted WAN)?
Authentication over an untrusted network is
Daniel Kahn Gillmor [EMAIL PROTECTED] wrote:
I think i understand the basic K5 protocol, but i don't have my head
wrapped around the different possible attack vectors well enough to
know if opening up a KDC to the internet is really asking for trouble
(e.g. how much krb5 traffic needs to be
As Tom says, Kerberos was designed to be used on open networks. With
the exception of the old DES-based types (a bad idea to use nowadays,
but supported for backwards compatibility for places that haven't
updated yet), the encryption schemes should be reasonably solid, and
all of the data