Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

After Goliath's defeat, giants ceased to command respect. -- Freeman Dyson


devel / comp.protocols.kerberos / Re: Looking for a "Kerberos Router"?

SubjectAuthor
o Re: Looking for a "Kerberos Router"?Simo Sorce

1
Re: Looking for a "Kerberos Router"?

<mailman.55.1710362880.2322.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=507&group=comp.protocols.kerberos#507

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: sim...@redhat.com (Simo Sorce)
Newsgroups: comp.protocols.kerberos
Subject: Re: Looking for a "Kerberos Router"?
Date: Wed, 13 Mar 2024 16:47:51 -0400
Organization: Red Hat
Lines: 39
Message-ID: <mailman.55.1710362880.2322.kerberos@mit.edu>
References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
<202403131416.42DEGRub016309@hedwig.cmf.nrl.navy.mil>
<581276BD-9D29-4D8C-A23E-8613493E378B@gmail.com>
<202403131452.42DEqTwP016604@hedwig.cmf.nrl.navy.mil>
<4DF7F808-676D-4226-AE6F-034995094DAC@gmail.com>
<202403131507.42DF7PwP016768@hedwig.cmf.nrl.navy.mil>
<31CAD52C-40A9-4C1B-B411-4957DB414ED3@gmail.com>
<202403131621.42DGLZEE017497@hedwig.cmf.nrl.navy.mil>
<08C219DB-7B64-48FD-A500-3A043BDED825@gmail.com>
<ff6b1159594ccac0297ddcda93901dab0f22e61d.camel@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="25664"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Evolution 3.48.4 (3.48.4-1.fc38)
Cc: kerberos@mit.edu
To: Yoann Gini <yoann.gini@gmail.com>, Ken Hornstein <kenh@cmf.nrl.navy.mil>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=FCvxUUmY;
dkim=pass (1024-bit key,
unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
header.s=mimecast20190719 header.b=S72WdDYr
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=kOO0GshH+fjA4MMAw+bYmXbelYIsq7wUwBA6ZoWQHfbvRCSv5IdJIrbx7r8FvsOMT93z8T2E2SxHzdqDddO73MSdpCDswXUGY7n3oQkh9Vz0ZfBHatVkvrXoN4lfrjmDzKdEAJFMzsoCNaTGw8A6ULCtPYOFway4ZeiKw0BJRrE7qbpos96wPpN8fcG1L+XEluXIJVXvp2hsSSf7xIciEbhadKj4+Imbuea2Mw98p1HwnsvSKUMsIEA1WU8FVfTsCtR8fV4/8alOSfhwOwycwK2IlU5TMbkV5EaQD61t5Ox8rOsOLc7riecuzH0kgNZJjB4VquoCOJHPTpz5J0WP6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=JgIdawKqjFdhagwGrE5JZS5zgIJaptvEBEId7MfomLw=;
b=aOKytF3E2K4rGCOSRZzMdA7aXVrrWN1DyJwyL3J78Sc+RwZDeCrQKKKDKZU/ZBB44U3W2ds26N2HEafoV/Mw4teTkcQnDDr6/OENUXAtxYkKXRkEXxVlbMuW5db3/MB3wbbB+J1D/YPjc335gibslmk/gD0isVJDK134gft7NCL2yJkTDNvfUXsBZofQ22ZM9odhHq1ugRQuKpJmw0cKT9q7KwYTVowcxL68JZgQ98qkhil9cXF0BUSxn0M16SgwjeQmlqqsHuuNzupJLYHorhk9IHu0ap5P5PzdqUrkv3vAedtPmxHu3/I9/01DQ75VoNKsIL3xaEuAWt67WU4xqQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
170.10.129.124) smtp.rcpttodomain=mit.edu smtp.mailfrom=redhat.com;
dmarc=pass (p=none sp=none pct=100) action=none header.from=redhat.com;
dkim=pass (signature was verified) header.d=redhat.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=JgIdawKqjFdhagwGrE5JZS5zgIJaptvEBEId7MfomLw=;
b=FCvxUUmYNJXmbCl4htKoKHtTa9cml9VG1hSULyiGQMowe5/MjmwtL539kPS+2sd+d3VdlmiHLyglMNtIPMkr1cdaEYYgwNHPZt+ILScPFPtnlPBuBqGuzvHtoG8ENcjS0UoTIRFnIdbfsHWkI8rKSvHRYIttJwXZSpSM4aTvR10=
Authentication-Results: spf=pass (sender IP is 170.10.129.124)
smtp.mailfrom=redhat.com; dkim=pass (signature was verified)
header.d=redhat.com;dmarc=pass action=none header.from=redhat.com;
Received-SPF: Pass (protection.outlook.com: domain of redhat.com designates
170.10.129.124 as permitted sender) receiver=protection.outlook.com;
client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1710362874;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=JgIdawKqjFdhagwGrE5JZS5zgIJaptvEBEId7MfomLw=;
b=S72WdDYrge9cF2Kt5yu659aC3sDzKU7Jim8n8XGStcqhV8CP3T34Nl0ezHhNuEA74bJ41M
XrBMT8odSQ1+nhMgIFiuD1jQO7KHRVcidVRPOJCRjosQpANecCT+eZP9xOSSfIe3Iomyxi
F2Lpzbga4ezOe10nLXOcfZvyzdtnO6g=
X-MC-Unique: F-eC0gBlNOy9fn56eatBHw-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710362873; x=1710967673;
h=mime-version:user-agent:content-transfer-encoding:organization
:references:in-reply-to:date:cc:to:from:subject:message-id
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=JgIdawKqjFdhagwGrE5JZS5zgIJaptvEBEId7MfomLw=;
b=DnGaJ/NktF4TzAVsFDD9ipQYgiqHXLX0dN12J0DlRJrJwtI6mHNuxJjaiOEANHSpEI
F50TmllpVvN0HdX95q41M3XaM02zq/vLrJE/37VMYPAyo+EHbK+/TfQAuM4omXPdM6E5
mlqipHvJns8N3nGY40xSq3VwV1kuLsU+d+AX0XJ4HEzC7A4KfquSWSFqwWBVQO8z7lta
UrMiy8hETBbx3lqANSzEKNH20eXehfn+WwKq+uT9F2+NlWFtMp+Vt7iNiYt7rmVmcpxo
K0XwbDgC+mJ1WnSCp8oEixbYg2B7dvss/06w/ft50pc8lnvcxLU7trO7vPuwJlxMzDfE
v/BQ==
X-Gm-Message-State: AOJu0Yx5vz4txpklXQeeft1RXQauuk0t7ncBU0iMZtIzCC6muxDDtxri
ImDoexbDBqPoD+wkBywuaLoNXOPKVFfSQpcsYasSTBijkI46i0KpDfmGZk7Mfz+7KFTCI9DZXSQ
y9b+lRwYRjPiX0MQLD7Er+nfmEwNwVSqXJ65zC7YoAhCgrw==
X-Received: by 2002:a05:6102:c0c:b0:474:d0d5:e12b with SMTP id
x12-20020a0561020c0c00b00474d0d5e12bmr64680vss.31.1710362872930;
Wed, 13 Mar 2024 13:47:52 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IF3zdOEz3KG7AL8MnchAfceEq7VqeqDUAtMywCERrkppBlgHrPt7iXXMz8Tp1EfYZvwpU0mUQ==
X-Received: by 2002:a05:6102:c0c:b0:474:d0d5:e12b with SMTP id
x12-20020a0561020c0c00b00474d0d5e12bmr64666vss.31.1710362872524;
Wed, 13 Mar 2024 13:47:52 -0700 (PDT)
In-Reply-To: <08C219DB-7B64-48FD-A500-3A043BDED825@gmail.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CH2PEPF00000148:EE_|BL1PR01MB7868:EE_
X-MS-Office365-Filtering-Correlation-Id: 74503546-6633-4e1c-db8d-08dc439edc05
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: gIeHaU6nqrugPlYfwVi+RtVNr9ldy8D90n6CSeCN2XIIbCMML3LTul2QUnfixFTSL21xXO6XQFcNX62wGubSVMqbDiVmK6kbAS9lqEfhgt3OhqrzK5xsPkPvS2tjzLTNYlgW3n+MYEuUNzrbtKnvhR5PJL3BslPqDswA0cFVqQ+oK7QX3dJP52N2GzoLD0u7+yT9PG3D2xYOc8/v+KeWKA9bb0KCG8Y0lkYYaayeK3gMZbY4coGZiU48OEUVZBPL8VLQm3trare+x5Z4FD5moP8ATElBP9+QsKxq5ZkTJLzuxx9zxNe8TsFD14hIsZiMPcED0H3pTlnlYrqBy6LmxKVkeWfMnvvJO4h7bRbO67BGHppYb58Zmg1U6bQHgYQm6MEv/09mXdWgcTYIqcoTb80eRb9HhxOviqQsecAf3EbeZiE/kYYaNqM0cKdaWi0ciGGdCaJpfdJssA16PMea8Ecqf4VMBWqKcXelzuaB3BbM2vR08zAKgId2R2ebHbPpS2DJIAk3mQgmeegJX0/8MHf8iKYWmDEHqTECbEOdmfSnmT3Xhr2ZxnNd24RczLcmMNSV2FoAIDxHbfTBK6/OLY0Ux/aaKT90MxxclcEyKfqqbdpSCVCiE9sDmY2t3eSrWpNM1ATTloKi9tOiOY/nksfkm4Can/K1AA9DWWcXGYLWDlS8bCjpgPILfh9Z3HG9
X-Forefront-Antispam-Report: CIP:170.10.129.124; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:us-smtp-delivery-124.mimecast.com;
PTR:us-smtp-delivery-124.mimecast.com; CAT:NONE;
SFS:(13230031)(376005)(61400799018); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Mar 2024 20:47:55.0970 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 74503546-6633-4e1c-db8d-08dc439edc05
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CH2PEPF00000148.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR01MB7868
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
42DKlwar1521322
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <ff6b1159594ccac0297ddcda93901dab0f22e61d.camel@redhat.com>
X-Mailman-Original-References: <CD4C5157-C1DF-4AAB-9DA1-F54FEF928266@gmail.com>
<202403131416.42DEGRub016309@hedwig.cmf.nrl.navy.mil>
<581276BD-9D29-4D8C-A23E-8613493E378B@gmail.com>
<202403131452.42DEqTwP016604@hedwig.cmf.nrl.navy.mil>
<4DF7F808-676D-4226-AE6F-034995094DAC@gmail.com>
<202403131507.42DF7PwP016768@hedwig.cmf.nrl.navy.mil>
<31CAD52C-40A9-4C1B-B411-4957DB414ED3@gmail.com>
<202403131621.42DGLZEE017497@hedwig.cmf.nrl.navy.mil>
<08C219DB-7B64-48FD-A500-3A043BDED825@gmail.com>
 by: Simo Sorce - Wed, 13 Mar 2024 20:47 UTC

This is well tested:
https://github.com/latchset/kdcproxy

On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote:
>
> > Le 13 mars 2024 à 17:21, Ken Hornstein <kenh@cmf.nrl.navy.mil> a écrit :
> >
> > It does occur to me that maybe if you have different KDC hostnames but
> > the same IP address you could use TLS SNI or hostname routing which
> > you indicated you already use and maybe that would be simpler? That
> > presumes the client implementations set the SNI field (I see that it
> > does send a "Host" header, and it looks like MIT Kerberos does set the
> > SNI hostname).
>
> This is what I have in mind looking at the documentation of kkdcp (reading as exchanging here). Using SNI to select the KDC.
>
> I will give it a try, it looks like the option I need here.
>
> And yes, all of those complexities would have been avoided by network teams just supporting IPv6 and not blocking random ports for no reasons…
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor