Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Help stamp out Mickey-Mouse computer interfaces -- Menus are for Restaurants!

devel / comp.protocols.kerberos / Re: Looking for a "Kerberos Router"?

SubjectAuthor
o Re: Looking for a "Kerberos Router"?Ken Hornstein

1
Re: Looking for a "Kerberos Router"?

<mailman.50.1710346904.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=502&group=comp.protocols.kerberos#502

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: Looking for a "Kerberos Router"?
Date: Wed, 13 Mar 2024 12:21:35 -0400
Organization: TNet Consulting
Lines: 24
Message-ID: <mailman.50.1710346904.2322.kerberos@mit.edu>
References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
<202403131416.42DEGRub016309@hedwig.cmf.nrl.navy.mil>
<581276BD-9D29-4D8C-A23E-8613493E378B@gmail.com>
<202403131452.42DEqTwP016604@hedwig.cmf.nrl.navy.mil>
<4DF7F808-676D-4226-AE6F-034995094DAC@gmail.com>
<202403131507.42DF7PwP016768@hedwig.cmf.nrl.navy.mil>
<31CAD52C-40A9-4C1B-B411-4957DB414ED3@gmail.com>
<202403131621.42DGLZEE017497@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="10930"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Yoann Gini <yoann.gini@gmail.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=IWk8Av/u;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=E1Fu4a6/
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=VYJZkTC5cbX2HhapO9lqxDd4juifKywcgOPC5313pv0h5M42H49YyZfSJxy67b7xXKVRJyey37H3pywX3vtjJg8grnQE/7TvB2xfDZ+uAetEn/N0CD9fYjA1d1Jw27eVQLhUMFYuQNj3HWWUnaSFyQ7NLqNdISonmD+jRBivM7EsezpNHK5c/9DnpTcTfdnj6Y90FKsTbvWpt+hNEfxSS5X/BCN/W2nsAGCNg9D1HP7knPlVVUfeuRXdoTNF7JUK4dxcMxxgc2+76d8J4XYlbCNUramMm1Vtx9qmgSWEb/xX1U8DRZsPF256IkpnFKHKVmaDOYxeTcRjmtWNNWCCwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=bFzaeabh6cfm2MN/1wFkpAln+s6K26wVJgXORd3Lrks=;
b=jtB0RY50rz3+QJLrErS4JmKvJ0kQ+8ocHGvr37Gva4cRW7zcz8ilWDbHF/1kqqDvc9DPpYZK9ZxYA1wEmexYbzRyKTnpfLsOwu7wywbJgEQIk0S8TwAn3Q/8poH6U46Dl4+y1+mEVIfATLhHw7I2qfJCaz5aV5Z0oRaVqXB5d7k6agMTAp35d7dhY2oWZnUbwi7XktEqs0hkfSoT7kVW4dtzIB5mJd76GEJ9BzVBtevEoSAWlP4C9rpeuzvCUiVXzOfbbnH6nkWJT02jddsU8hYnUDUh4hwS0lJJrn3+xSq4t+a5FOYfSQpC793y9tW1X9OEeSaSeWG9R6m4aLRFwQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.59.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=bFzaeabh6cfm2MN/1wFkpAln+s6K26wVJgXORd3Lrks=;
b=IWk8Av/uL+w90FT61hh7+h1f3Ubzms4cdTLLDwSvLEWRaCiDUxwF3Y0bURkIY2/d9JyzNdOBeLxyYmmy01fFanP2t340lkY43WzthUnNEGMnCZlVISMjxmuMfBsvzj47MB/UlOOqpuU1jMM/SXw3doFngmnNXyybJU2BYZYhyfg=
Authentication-Results: spf=pass (sender IP is 140.32.59.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.59.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.59.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=bFzaeabh6cfm2MN/1wFkpAln+s6K26wVJgXORd3Lrks=;
b=E1Fu4a6/jeQyPSfBWATmhQlKnoYe4aqtpWB2ll4KRyNGZIcGQTk3HXEjcydg5i9UIDml
eO3POKmC07BjAColkisLBQ9wJjKIOQ16qAb8Jy0oJz5FgGjgPMPmND46y5HM8fjrCKpz
NZYbYfp2aNEH7YGN61kzdJhx+ggwcmIZtke0tDFh6pYVZIiYawu0tLVDsFdlhpm69nq7
0thejYfLgi7/pgIandCLzbsu8Uina9J6jdQpaFbjDcUjIkpSFMCrNYHQMs+uHBO7PE9m
Um8h0azDX/9cJdmrFf3wcfO7eBub3HquEU56yY5JO0wnhHUFA4HZBLBBJonzaGcZeNy0 zA==
In-Reply-To: <31CAD52C-40A9-4C1B-B411-4957DB414ED3@gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS2PEPF0000343C:EE_|SJ2PR01MB8507:EE_
X-MS-Office365-Filtering-Correlation-Id: e48328b6-ae59-48c5-540f-08dc4379a90e
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: GGARklsp8aYTffUgsoabdWLhuqRUbdL4Mr9F4Ha7C9ghDRBdjb5Mo9qEoo6hF36lbQj9WcfL7xhM/MXy1Do2AmkTie8146Y/JUG9T6uYYXUkJY6ci/XvcVVwOWhGpMBQ2V479RITsH2TKAQYruiqabcOXsV7hkf2SgjotObu9+e4w9WIvW9+cwOTS+ftmDlClfA7+arcpLs7fVpkbP8MnsmaZLZ9mzy4roZQ6bx8k+/rC64qjhZtewamqMuOuVlfaobfRWtb8dRMVmhLZasbRHQBYC02Kf9IeLgF/N+XSwqE+cITHQGukdrZJjWcCMhmsM5Z4wyq83xC16hOOMuI8j000v3leRR+xUzf+ilDxGWLDyeL3oTobpFV6vHKCi4UTejYoY9FbFcHM06jrs2Qqu2NQsG6EfALLZGY0j6YkQhuKbkKJpcMK0GrlnmkYv/Tt+/UpDabkuXIUreNH+QEDF/aOnOVAIzglyE517rhmo52eCx/AYAwjHwgsUONoWpOnuSK5vMmtm2xuqEBdWeO1umjPtySHNxiOwEjZTGKIjWHAHYTsHNJnaxvkh8z/meX+Wpf4w2aqksI7VElcJModuPwFJJE6x6opTAi21XAYxETrCKfVMxn2/H5pTLkmvucgNUET6eTcRyqNpVCi1rqv+wdflLV+OgmryK2m3VgS/clfdze6yNWjvaj9/Kse8StSv4nAv6M/khZaNnyhAfbVt/g/DZNKKGy7JJHSIdtt786JjbE90N7AjUTVg7XyMsr
X-Forefront-Antispam-Report: CIP:140.32.59.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfe.dren.mil; CAT:NONE;
SFS:(13230031)(61400799018)(376005); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Mar 2024 16:21:38.5066 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e48328b6-ae59-48c5-540f-08dc4379a90e
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DS2PEPF0000343C.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR01MB8507
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202403131621.42DGLZEE017497@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
<202403131416.42DEGRub016309@hedwig.cmf.nrl.navy.mil>
<581276BD-9D29-4D8C-A23E-8613493E378B@gmail.com>
<202403131452.42DEqTwP016604@hedwig.cmf.nrl.navy.mil>
<4DF7F808-676D-4226-AE6F-034995094DAC@gmail.com>
<202403131507.42DF7PwP016768@hedwig.cmf.nrl.navy.mil>
<31CAD52C-40A9-4C1B-B411-4957DB414ED3@gmail.com>
 by: Ken Hornstein - Wed, 13 Mar 2024 16:21 UTC

>Looking at Apple documentation I see the support for something I had
>never heard of: Kerberos Key Distribution Center Proxy.
>
>Looks like a solution to encapsulate Kerberos requests into an HTTPS.
>
>Any experience on this here?

I personally have not used that, but I know that MIT Kerberos supports
that (as far as I can tell, that protocol exists just because firewall
people are dumb, but that's neither here nor there). That contains
a wrapper ASN.1 structure which has the target realm in it so you
could use that for routing (although the target domain is listed as an
optional element to the KDC_PROXY_MESSAGE so that suggests to me you
can't rely on it). So you're still going to have to write code to parse
an ASN.1 structure to do backend routing.

It does occur to me that maybe if you have different KDC hostnames but
the same IP address you could use TLS SNI or hostname routing which
you indicated you already use and maybe that would be simpler? That
presumes the client implementations set the SNI field (I see that it
does send a "Host" header, and it looks like MIT Kerberos does set the
SNI hostname).

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor