Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"Just think of a computer as hardware you can program." -- Nigel de la Tierre

devel / comp.protocols.kerberos / Re: heimdal http proxy

SubjectAuthor
o Re: heimdal http proxyGrant Taylor

1
Re: heimdal http proxy

<mailman.0.1632944505.30761.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=147&group=comp.protocols.kerberos#147

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.protocols.kerberos
Subject: Re: heimdal http proxy
Date: Wed, 29 Sep 2021 13:41:31 -0600
Organization: TNet Consulting
Lines: 99
Message-ID: <mailman.0.1632944505.30761.kerberos@mit.edu>
References: <87sfyq9qtg.fsf@hope.eyrie.org>
<58C9CD4B-C68A-4480-BFD8-29DC38D8C22A@cs.rutgers.edu>
<6589bffb-75be-62f3-5e3e-6c0b315dd865@secure-endpoints.com>
<78619294-b425-bf71-934b-78381efa8564@spamtrap.tnetconsulting.net>
<B2F885AD-DCA2-4D8D-A3D1-85084F4FB1BA@cs.rutgers.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="------------ms080703060403000903040007"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="26672"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.13.0
To: kerberos@mit.edu
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=daSkTnq4CzIGqAHwwMFhheDH1Wr2TvTkeAb5QMdAE3PxHlacdON5NHVZnDumUHN55aoiccRLF5z/X0KNiie9qObgH94J0IgEnGWtK69OCDz5ekq/YQC4VOId2oWcDqTfloOQM6TPKV7rb9nS/jIyvYQnDejws+6FJsCTYZDfQNAtQXgS+XmtiW0KOgeenYN0tgxP47Yz9QyQzK3BHgmjSXHMZX59u4S0k+taJX7ocvlW5/J5r/CRoAPivo5xxM6ASHxFh8PlcYRV1C+owas9nEJU3A6wzVVIUvYPLCyZUfiL6Nbs+qmkw1Ox2o7wNZpqFmZi87SZ1iaPlqlPvP2+/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
bh=8WYhcQlwMjXFPnQPuSEek/VgpR2baYZytACvmDzAvH8=;
b=lLN0JWWkicCcMjffRvhm4m4t0toKPrvlPcs7NqfLRwczEr4NGBVjqRABJlmCBNMpy8fi4U3NlwAsb1yFhdao6aLBjIDTvO/qRio8Wm6W5RkheOIGRQIbZW8MBD5F+Ele1xKNyqnsojvzyIDhwGii1/qbCnBZfzHh6T9iv8uAQVskls+3AFHTymUteUmcXkzEUlsdqCSB7lD5oNbBY+gi0Tb07M71HURoDeI+Cd6dOUYiRCnZe96RCgN3lkJiQLWBWIplfCtjPOhdbFzo/wjv/AeOfB9dAFagLn7CKMcPp5Q70/M8nHSV2sv29K9dnL724JdkKjGNL3XR4icCJl+n6A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=8WYhcQlwMjXFPnQPuSEek/VgpR2baYZytACvmDzAvH8=;
b=dD70h8I78DvaccC+CKWa61AqCuMwDaViGEZ7c4TrCOay0hCVa8OLtjiZsquw/04Hbjzi1OD5mxIzprzxFf3I1KC+vtIhT3vvE0NfT3N6nXEv4tXvccovuDiOd8GuiXCq1+4WI/zFHLxf9z3MYeSID6XvikAhz5NujrYKgD0SWTk=
Authentication-Results: spf=pass (sender IP is 45.33.28.24)
smtp.mailfrom=tnetconsulting.net; mit.edu;
dkim=pass (signature was verified)
header.d=tnetconsulting.net;mit.edu; dmarc=pass action=none
header.from=tnetconsulting.net;
Received-SPF: Pass (protection.outlook.com: domain of tnetconsulting.net
designates 45.33.28.24 as permitted sender)
receiver=protection.outlook.com;
client-ip=45.33.28.24; helo=tncsrv06.tnetconsulting.net;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tnetconsulting.net;
s=2019; t=1632944488;
bh=iu4uQ/cn6xZO80Eg73d8gmpfvpXvwX4ssJ03sZZGJEI=;
h=Subject:To:References:From:Message-ID:Date:User-Agent:
MIME-Version:In-Reply-To:Content-Type:Cc:Content-Disposition:
Content-Language:Content-Transfer-Encoding:Content-Type:Date:From:
In-Reply-To:Message-ID:MIME-Version:References:Reply-To:
Resent-Date:Resent-From:Resent-To:Resent-Cc:Sender:Subject:To:
User-Agent;
b=KwEODg1ZOPQDP4D/diCm7PlZwyB1SIwflX289//AGjHhPWK9+i7KaGQj7uOPRQHRx
0CwwucoNJ1Z9e/X0ancRAmzHUhE9SGYTeFGszdA28tLEPTj5IJbfgtq+sv1KUqHTqr
rXkCLKSdLsxvTwVwWu584B2Ot0Lh8HxUueT58CA8=
In-Reply-To: <B2F885AD-DCA2-4D8D-A3D1-85084F4FB1BA@cs.rutgers.edu>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a0d7ffe0-39c8-4db3-6fae-08d983812207
X-MS-TrafficTypeDiagnostic: MN2PR01MB6095:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <MN2PR01MB60958CA4504B75829FFC0829C6A99@MN2PR01MB6095.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Tlw2i+ygBNtppW37SylrJMPn3dtgwi/K57JfrPVOVRGSvZDV4ssif5SRmUKppMe8s6PkwgHaxxpxsRgPTQTlhVIEY+dvybDEXmE96FeatOr5HkW8tYijKESMFylZe1Pv2DL4WUMNhVelay90vPVw5p2rieHkmBdrJ7oOvcfFRpDZFAn0T6+0mCnpqyIBPJnvQU5DcHMUsElB7awiEsCsm8mGxPNaBMnifJ9q+GVLlXpSdEhKOpYHcbKji31kwdKTxwnHY8NcRDZE+iTYJ3MJhLw1xBhD3Ry1p4zEN6qjAtdzYzSg7sn2DgZZOYaKtL/2WSnh3gCbaBP5mnkQ/tLeq+2gWs5w5qMMiLm6wJMcs9tioamqLkR+lhY/kGcu+C6jbp65FrJfYjlAzU2XyunyKMpTTrGeTQScaoc2JU/XMhXG6niOOoP6ooyP2tssU2fay2qty5N7uofVyI1T4YU9HX7cTp3OrCEG5b54yyvMnWzc0hW1wIMMZKgFVZNdv671Bo7nlqQN3suUUYBiXc5rmtrMYNYX/BvTXMj+XpPsbx/VjsR3/TUqJBEKzReUbIb2x94pqzY/vHMLjKAWrkRUrpCTZWlMDGPQSQ8JnXVHhoCeAcsJAzNdu2uUqti3qv722Tm9AYOhQnwqh4XSvhC4kTdxJ5+fgmAA1nMO60csJ5k=
X-Forefront-Antispam-Report: CIP:45.33.28.24; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:tncsrv06.tnetconsulting.net;
PTR:tncsrv06.tnetconsulting.net; CAT:NONE;
SFS:(4636009)(2906002)(336012)(3480700007)(83380400001)(508600001)(70586007)(68406010)(53546011)(26005)(6666004)(86362001)(66574015)(31686004)(36916002)(316002)(31696002)(786003)(33964004)(8676002)(356005)(235185007)(7116003)(34206002)(7636003)(426003)(5660300002)(7596003)(43740500002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Sep 2021 19:41:29.2939 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a0d7ffe0-39c8-4db3-6fae-08d983812207
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT038.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR01MB6095
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Grant Taylor - Wed, 29 Sep 2021 19:41 UTC
Attachments: "smime.p7s" (application/pkcs7-signature)

On 9/28/21 2:31 PM, Charles Hedrick wrote:
> If all the proxy is doing is forwarding content, it might work. But
> in that case it’s not obvious how much security we’re gaining
> by the proxy. It may be that just enabling access directly to port
> 88 would be as good. (I control the network, mostly.) Any sense how
> risky it is to expose port 88 to the internet?

I was assuming that the proxy would have it's own authentication
requirements. Thus the proxy would act somewhat like a bouncer in front
of the KDC.

Somewhat like putting the KDC behind a VPN or SPI w/ port knocking. --
Allow people that have some modicum of knowledge access to the KDC while
preventing any Joe Random on the Internet from accessing the KDC.

--
Grant. . . .
unix || die

Attachments: "smime.p7s" (application/pkcs7-signature)
1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor