[14582] in Kerberos
Re: using Kerberos V5 with network address translation firewall?
daemon@ATHENA.MIT.EDU (Simon Wilkinson)
Thu Jun 21 11:00:54 2001
From: sxw@dcs.ed.ac.uk (Simon Wilkinson)
Date: 21 Jun 2001 14:55:42 GMT
Message-ID: <9gt1te$al0$1@kane.dcs.ed.ac.uk>
To: kerberos@MIT.EDU
Turbo Fredriksson (turbo@bayour.com) wrote:
: >>>>> "Jianlin" == Jianlin Chang <chang@platform.com> writes:
: Jianlin> Does Kerberos V5 work with network address translation
: Jianlin> firewall?
We're doing this locally - with some clients unfortunately lying
behind a NATing firewall (the joys of dialup access ...)
: As long as you don't block port 88, yes...
The NAT also needs to be able to handle UDP traffic. This may get interesting
in situations where there are multiple clients all trying to access the KDC
from behind the same NAT - as the return packets from the KDC may
not be correctly delivered to their destination.
You also need to obtain tickets with the address of your NAT (or obtain
addressless tickets)
Bear in mind that kadmin (and other GSS-RPC based protocols) don't appear
to work correctly across NATs.
Cheers,
Simon
