[14578] in Kerberos
Re: using Kerberos V5 with network address translation firewall?
daemon@ATHENA.MIT.EDU (Turbo Fredriksson)
Wed Jun 20 12:59:57 2001
To: Jianlin Chang <chang@platform.com>
Cc: kerberos@MIT.EDU
From: Turbo Fredriksson <turbo@bayour.com>
Date: 20 Jun 2001 18:54:42 +0200
In-Reply-To: Jianlin Chang's message of "18 Jun 2001 15:19:05 -0400"
Message-ID: <87k8273xd9.fsf@papadoc.bayour.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
>>>>> "Jianlin" == Jianlin Chang <chang@platform.com> writes:
Jianlin> Does Kerberos V5 work with network address translation
Jianlin> firewall?
As long as you don't block port 88, yes...
Jianlin> I am interested in the following situation,
Jianlin> the client and server are behind two separate firewalls.
Jianlin> The KDC may or may not be behind a third firewall.
If the KDC have a internal, invisible IP address, no.
Jianlin> I guess that client can still obtain tickets properly,
Jianlin> even if the IP address in the ticket is that of the
Jianlin> proxy.
The clients will have to be able to reach the KDC.
Jianlin> But what happen to the server? When you try to 'kadmin
Jianlin> ktadd' on the server to add the server's key to keytab
Jianlin> file, will it work properly?
As long as you don't block port 750, yes.
Jianlin> Now that client has a ticket, and server knows the key,
Jianlin> will the client be able to connect to the server
Jianlin> properly?
The 'client communication' is done on port 88, server communication
(ie kadmin etc) on port 750.
Jianlin> BTW, during the process of 'kadmin ktadd', when the
Jianlin> server host contacts KDC, is the key transmitted
Jianlin> encrypted? If yes, how?
This is shaky ground to me, but I will hazzard a (qualified) guess
from what i've learnt reading the kerberos RFC's etc.
_ALL_ communication to/from the KDC are encrypted... Exactly HOW
this is done can be found (?) on the URL (very technical):
http://www.isi.edu/gost/publications/kerberos-neuman-tso.html
--
Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
/ / | | '_ \| | | \ \/ / Debian Certified Linux Developer
_ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
\\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden
ammunition Cocaine Panama cryptographic 747 terrorist SDI smuggle FBI
South Africa AK-47 critical tritium class struggle Delta Force
[See http://www.aclu.org/echelonwatch/index.html for more about this]
