Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"If you can, help others. If you can't, at least don't hurt others." -- the Dalai Lama

devel / comp.protocols.kerberos / Re: Looking for a "Kerberos Router"?

SubjectAuthor
o Re: Looking for a "Kerberos Router"?Ken Hornstein

1
Re: Looking for a "Kerberos Router"?

<mailman.45.1710341556.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=497&group=comp.protocols.kerberos#497

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: Looking for a "Kerberos Router"?
Date: Wed, 13 Mar 2024 10:52:29 -0400
Organization: TNet Consulting
Lines: 18
Message-ID: <mailman.45.1710341556.2322.kerberos@mit.edu>
References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
<202403131416.42DEGRub016309@hedwig.cmf.nrl.navy.mil>
<581276BD-9D29-4D8C-A23E-8613493E378B@gmail.com>
<202403131452.42DEqTwP016604@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="17404"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Yoann Gini <yoann.gini@gmail.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=RdofMlXp;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=nYlfKMtZ
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=jM6OZhLJ1SvOnzdxUQpnHn6dJrP6CLcOJr1dnauVuXuxd8oqPIBgSc0Lx5+N+oGPF7Y31zruYhBf+Hgx/HuvRyZ1ksftiZkcJJN8C3nuHaT4g2u+pzo6FUYutV2BqvmG3inrnn/jpEpuq0lJibj4W/+J0TYrm++aBr7olRohago3gASrOgu8e+suImdHiZsZhEL/SzL+HTuHcX96cWd2mHKSd4qUqT/lfOaByMw4SNy1N0t3CT0jk16MspNfYqGJDCL+qJ2Zd73X7TIqJdE+7BM36N6Su/zx4BKpIoXxC2usVMm36kPdjZEGnjSfQLQqEuBzd/vQnmI4MJS5KjuuxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=8nEEuthrtu+ZPb7jz0d8TqFn8+XqP/rnNaCUdLqz8iE=;
b=nXlJxYFNUBJ/rMRLYQizVonvkBRrDzoAZLBsxFkrCcovQRJw71FzePtqLeLdj8QGNNj0oN10xnLMFbHu2DhRgO0qV7o1Wf8z8Q6zal9mj1bYLj0uYIxyfesPSJZl+EcL/1EulULC0Q/xTfbnNIUqYH8VF78f+g9Hl85OJARGUQCBct4/bTh0JAUZXmROsCLqfXmDJtXdJG7WPSQmiGVx9qVsotaluA22zlvHzkoG5bk2Zue08VxXbVIYrxu6OvFrV9ZRHh08ozC3VbLGrjtji9ovTQh4rWxzD6t7ML+JYlWzs8bFJo2B0vTous2Y8erhOMjXzWpiAnUHXL0TiYj7Kg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=8nEEuthrtu+ZPb7jz0d8TqFn8+XqP/rnNaCUdLqz8iE=;
b=RdofMlXp+lQHCR1WZqQk9HsOFC66v0W7dmoyUrRszksnTx7I7MbxNQx9LJUFM4zamqjMBg1Ugmw7k0Tj9P1wv/IjhZ8LLN4aLIc16VSURv6qQZnd1GHre2Nz89vtx2151DUZRp7uPnlwiCqGSL5puC5zAE5EEwgFW/l2ivNni6Q=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=8nEEuthrtu+ZPb7jz0d8TqFn8+XqP/rnNaCUdLqz8iE=;
b=nYlfKMtZQ0WggFcBjdMb9KUeDYzT4ito6FIK2iMNR3z1q/srH7SR5NTq9+K9r4LKCEfs
LMH96543McfM1e7/zConHR5Okn5Jgpbfe86TfxFD9vtJR5WRcBIHl2hXVvJpF0TogQa/
RnzWxBfswB64v3X1e/ZdjbhM2tQuPPTcAwA0yEC889Irs7dxw+kqAM8JLTdqF3cii85Y
HUH/WgghHQ90JCmJTWZQUkBh7aLSubjiyILbKPmJ0paVH6CHFAGFhzfkwN2s6YajrO3K
Pj586rq1KdvTJEWgr67qchflRJRwKPa8c7gAncAhuZdlkfqm2PJ3qzq9DDBGkPh7CmcI Rg==
In-Reply-To: <581276BD-9D29-4D8C-A23E-8613493E378B@gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MN1PEPF0000ECD8:EE_|DS7PR01MB7880:EE_
X-MS-Office365-Filtering-Correlation-Id: 2a63758c-6163-426a-8d15-08dc436d36a3
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 6G2FOO7Dnrma489EkCZSsBgliHrNPWB7wjDJMf44CBBGKx9EbN8agvdMF69FajlqbZIotstaMO3FB58Ays+tcxi7e6T1sRE+rWpOBM2HUb1FpFwWONp2balHSokiyAOX9nAPGFxssUCCW1KiegfGwRp+XdqRDkHcevreRqeVrRsbiOUyZaYezOYPbJhCaXCcoC8qubGW8ShrTNVF2R3/HjCkW7oH0nLqRD7nuvR+Xbr/KEAOsqTfFMRPzrNz3HuvNvKnoatqLrCuOdlNoPDMhHv0SwhOzmNm+xUaOsu/DW3xfD0xzl4DClUsgQza38bOJMcyHzgtpJ6NxKcx5USuJuRCaA6Y5bdytudEs+qhNXckgWcfiGiDRCHNi2VuXgkmxfad2zWNGU/uogjc8gAi9qg3C3m9yajq74RljfbZcH3Hg/zhzWpBUbVJ+/CBZLKOpffjFf3R24EADo+MmZ3uMDptLWb29hpm68cBVdpi4VTzthPs7Rds3rmFPsJOIfqal3pYjYInVbaBtFRxyYtp13XnUZoADIP7h8ToXbNVLSqKnypySItw/cnGTvLvzIbsFOPmv5so9AdfC3pH0glRjwCFAW/v4ehAQ93YBkcmYdRsw+GbrQ99xRavMWIjfzxpt9itEMCay7NMt9ZDZBM07HPcIGA/ph2Zp4LW6WtY124H9H8jqg5KWSDMO0aMa/2gd4iqpiEZh+zg3JMsZ+ipEgB04M5VgUU3gpQnMVrJmF0=
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230031)(376005)(61400799018); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Mar 2024 14:52:32.4608 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a63758c-6163-426a-8d15-08dc436d36a3
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: MN1PEPF0000ECD8.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR01MB7880
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202403131452.42DEqTwP016604@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
<202403131416.42DEGRub016309@hedwig.cmf.nrl.navy.mil>
<581276BD-9D29-4D8C-A23E-8613493E378B@gmail.com>
 by: Ken Hornstein - Wed, 13 Mar 2024 14:52 UTC

>> One thing that leaps out at me is that by default a lot of Kerberos
>> messages default to UDP transport so that might be a bit trickier to
>> proxy them (but not impossible).
>
>Yes, that's another aspect of the issue, our expectations so far are on
>support for TCP only clients. Since it's for mobile users that we are
>looking to have this support, it shouldn't be an issue.

I would caution you that I think that is something you're going to have
to grapple with much sooner than you think.

A long time ago we had developed a small Kerberos proxy that forwarded
on Kerberos messages by prepending the source IP address/port to the
UDP message (our KDC at the time was modified to recognize this
and sent the prepended bytes back to the proxy so it could send it to
the correct originator).

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor