Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

You canna change the laws of physics, Captain; I've got to have thirty minutes!

devel / comp.protocols.kerberos / Re: heimdal http proxy

SubjectAuthor
o Re: heimdal http proxyKen Hornstein

1
Re: heimdal http proxy

<mailman.1.1632880735.6701.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=146&group=comp.protocols.kerberos#146

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: heimdal http proxy
Date: Tue, 28 Sep 2021 21:58:22 -0400
Organization: TNet Consulting
Lines: 19
Message-ID: <mailman.1.1632880735.6701.kerberos@mit.edu>
References: <87sfyq9qtg.fsf@hope.eyrie.org>
<58C9CD4B-C68A-4480-BFD8-29DC38D8C22A@cs.rutgers.edu>
<6589bffb-75be-62f3-5e3e-6c0b315dd865@secure-endpoints.com>
<78619294-b425-bf71-934b-78381efa8564@spamtrap.tnetconsulting.net>
<B2F885AD-DCA2-4D8D-A3D1-85084F4FB1BA@cs.rutgers.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="19242"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Grant Taylor <gtaylor@tnetconsulting.net>, kerberos@mit.edu
To: Charles Hedrick <hedrick@cs.rutgers.edu>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=k3+WrieK6LbHnGvqqU7vTifR74x5U4Bu4/p0HxvoS/Iv2+0sAXbP9Kz+s5tEOiyxU/P5l3OljRYbbM0oxBRPCKbovxmslu9pF6XoQzbivi7o1+EiCvpHPDVZEqBgvSzPdTLC66A8QAowfsVrkAXTfriRPhVR+5QVE3V+ulUu+KffimnFd0Sf+MJ3bs2lBCTsSikg0YrBqrt1n0cdFJ6kxg14twE50WqDNtIm1XMN+S2kB5R5pr20FJLU7Dxg0mnRY07bgG21ARwwgPIQ404cDIaph9ciTyf7VFng+8M6nX24S7Y6pe6eRB/3+60M2dHORVOlGYZ9OZp8n8UbnFI8qQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=3DE2gYCsu5f9liDk/AOJT3Onk6LONEoZEL98jpQJrZY=;
b=Kv82pbCL6BYytUDTUys2aH2YwoGp50hBmaIzzAZf6qlBnjV8IDJbbX7Rz1+TgmskKUSCRHcWSOfq5uW7JZUAJf2SxxlcwTpHuuCTh3fRaz5ukU/0ju/+XxIG6VltjdrZpDAdM0UAChuS9DCP3ZkGv5Ah45pksF+Ig3J7GXYEn7ahgjw0V2dUSlpVUB3qLwHfuZKjhJ4RApvOO7AW3g+jEr1dDw555xlM08EPAUyMfwfp27hZT7GO+zwhP3BkBEURNUZAGOIL0nYP0JDSshbo/pwusYG5yywbp7KbJ7tX+JhVkquNx1LI0+DyMmI5WcRV9TWiIvuuW9ovyULNywXswQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=3DE2gYCsu5f9liDk/AOJT3Onk6LONEoZEL98jpQJrZY=;
b=D58ew+7jnzn9aI5ywafpGKKhaaNindu2EE/RyGZjIlqRhT0RHMOn26DLPz9xUlSplj7VE9BZQtV9nfNak/uSDIvzaMkzIiznvOWY+Jhq7EEGxq1jRaqpOaSF4LbPs5vDJtPXKAntN8QVgM/c89sEM66I64H0+VHdjSpQeKODy6U=
Authentication-Results: spf=pass (sender IP is 140.32.59.234)
smtp.mailfrom=cmf.nrl.navy.mil; mit.edu;
dkim=pass (signature was verified)
header.d=nrl.navy.mil;mit.edu; dmarc=pass action=none
header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.59.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.59.234;
helo=mfe.dren.mil;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version :
content-type : content-transfer-encoding : date; s=s2.dkim;
bh=3DE2gYCsu5f9liDk/AOJT3Onk6LONEoZEL98jpQJrZY=;
b=WhvGyoStbFofL9N5PeWebGrYVMdYwCuk0FDdJRXPaUd6XQBRcmz7oVfV4l9Mrwcm6vaM
S3n4Nwp5sDZPbbxnhaGLx9VBLgGE1iKjNzzhmPVxsY5vgIaedOdVmZ+9TFPbVC6cJrLb
BPOqRiqkBJ/xci42ee3uNhdPgB6XvvMwTvcJtHESEfcPrQ0Sg5vs5V1kER6/eExEMk21
FYULbg31I3WZqHETvHj0bqhhMrWq7zvSd5SYcRu1X3a0ON1uJrhY9dnUNX84vBSD0VY1
u9YF8+BQISfFecneKP9IpH5Jqrdi4Zk99t9bYmH/8MxVk8ULMxl4HZPS6AFWtLI12YcE
gA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version :
content-type : content-transfer-encoding : date; s=s1.dkim;
bh=3DE2gYCsu5f9liDk/AOJT3Onk6LONEoZEL98jpQJrZY=;
b=X172N+WjDNUqfiI37fATJ7oUS3EYJckWqTd2w2cD+Q97z/rrmB26WVhVN3OouI2A8sC/
5mFpa+0QGiEL+eQiDLNG4cwjcqA2Irn9yWNqpOe7wHj82zcPW2cRizSP/IXbeLobXDwm
iInoUJ5XrqyjAesbnxtwA1VgM1663hYd698=
In-Reply-To: <B2F885AD-DCA2-4D8D-A3D1-85084F4FB1BA@cs.rutgers.edu>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK; C*}fMI;
Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned: No virus found
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 797c0c6e-e0e2-491b-5c2b-08d982eca473
X-MS-TrafficTypeDiagnostic: BN3PR01MB2129:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BN3PR01MB21291883893046F3F01F7C3EACA99@BN3PR01MB2129.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: RoABO6G0UyjyNs6Gek85+HrRoakRbwgkOGMsJsZlwKzv0nAj3XbVEKF3QeXnLtHEMXoMu1n1J2jBq8UjUWm1JvwXGGNUjARubWLBM/CHLa3NudvX7DaIDf71d1MwJLlUxwVXIinm2hWLgIK/+1VE5/jcwuzFFjSEzeVxps/J0lcN/eqV+6GKNB+XFbrSejn3qdoQw3wJuyCfrHuCW0GJ5sYc6jN4c0+9dbeDdA17D37r9RmlWJ2HMYNL3DKAozVSKF8UNKJsV8lZ/tQPeA5qh3C6UvMm4gY5/nw+hmkRtJFN2MBxHJY3JR387sCp4EluRltuq9bCQBWLNACVZcatRaSUpC4NgpfibHmgT7YA6hl8YtzeSUeZbAFWV8JEVlHcBA3ZQdaWMImDf6Jr12dR2wYUgUAG16xs1zg3W/IQKik8cn2snjudhq/bchwKR5bnj0tE2OeB0LJByGQN0fvWyH4YTquIlEnBQthZ2gNJXZsMliapsybKJ2Vpc3X1R9OMn37m7JVtyarjg5ukYpIkhvSPtCdOhc2weCoKbjl7v25KvxAYna1tDXPTY01TnNCnixbP93mSM25Yy4wYVhfUFUlKKQqkbZ+QlQZ+JR/zd8HiqDuVKn/fSqnv+nda66dq
X-Forefront-Antispam-Report: CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mfe.dren.mil; PTR:mfe.dren.mil; CAT:NONE;
SFS:(4636009)(45080400002)(7636003)(7596003)(8676002)(4326008)(3480700007)(7116003)(6666004)(5660300002)(86362001)(68406010)(1076003)(83380400001)(66574015)(70586007)(508600001)(6862004)(2906002)(26005)(4744005)(356005)(956004)(316002)(336012)(426003);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Sep 2021 01:58:33.1242 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 797c0c6e-e0e2-491b-5c2b-08d982eca473
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT053.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR01MB2129
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Ken Hornstein - Wed, 29 Sep 2021 01:58 UTC

>If all the proxy is doing is forwarding content, it might work. But in
>that case it’s not obvious how much security we’re gaining by the
>proxy. It may be that just enabling access directly to port 88 would be
>as good. (I control the network, mostly.) Any sense how risky it is to
>expose port 88 to the internet?

For what it's worth, we do. Protocol wise, Kerberos is literally designed
to operate over untrusted networks, so I'm fine with the protocol being
accessible from the Internet.

Implementation-wise, the people I personally know who do that are running
one of the open-source Kerberos implementations. It is my understanding
that Microsoft does NOT recommend opening the Kerberos port on your
domain controller to the Internet, but if you are making it available via
a web proxy I'm not sure how that doesn't qualify. I'm not sure why
that is Microsoft's guidance (note that I have only heard that second
hand and I have not verified it).

--Ken

devel / comp.protocols.kerberos / Re: heimdal http proxy

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor