[14577] in Kerberos
using Kerberos V5 with network address translation firewall?
daemon@ATHENA.MIT.EDU (Jianlin Chang)
Wed Jun 20 10:47:32 2001
From: Jianlin Chang <chang@platform.com>
Message-ID: <cttwv69wq8m.fsf@u039.i-did-not-set--mail-host-address--so-shoot-me>
Date: 18 Jun 2001 15:19:05 -0400
To: kerberos@MIT.EDU
Does Kerberos V5 work with network address translation firewall? I am
interested in the following situation, the client and server are
behind two separate firewalls. The KDC may or may not be behind a
third firewall. The firewalls use network address translation, i.e.,
the IP address from different clients behind a firewall will have a
single IP address to the external server, the IP address of the proxy.
I guess that client can still obtain tickets properly, even if the IP
address in the ticket is that of the proxy.
But what happen to the server? When you try to 'kadmin ktadd' on the
server to add the server's key to keytab file, will it work properly?
I am not sure about the process of 'kadmin ktadd', but I guess that it
will contact KDC. Then it may have problems, because the IP address
of the server as appeared to KDC is that of proxy, while the server's
principal using the server's real IP address is known to KDC. Is this
true? I guess that you can generate the key on another host which is
not behind the firewall, and transfer the file to the server host.
This may work to get server's key installed in keytab file.
Now that client has a ticket, and server knows the key, will the
client be able to connect to the server properly? Does the server
still contact KDC when authenticating clients? My guess is no. If
yes, I guess that it may have the problem as described above: the IP
address of the server as appeared to KDC is different from the
server's principal using the server's real IP address as known to KDC.
We assume that the firewall on the server side allow the traffic to
the server's static TCP port to go through.
BTW, during the process of 'kadmin ktadd', when the server host
contacts KDC, is the key transmitted encrypted? If yes, how?
Thanks a lot.
