[14654] in Kerberos
RE: using Kerberos V5 with network address translation firewall?
daemon@ATHENA.MIT.EDU (Jianlin Chang)
Wed Jul 11 15:47:18 2001
Message-ID: <3AA0A47DC449D5119392000255F000F021A8F1@hqmail1.platform.com>
From: Jianlin Chang <chang@platform.com>
To: "'Turbo Fredriksson'" <turbo@bayour.com>
Cc: kerberos@MIT.EDU
Date: Wed, 11 Jul 2001 15:38:46 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Searching through the Kerberos mailing list archive, especially the thread
on subject 'Patch for making Kerberos work through Firewalls and NATs', it
seems to indicate that there are still a number of problems, e.g, ticket
forwarding. Can these problems be easily resolved? I don't seem to see a
solution from the those emails. Thanks.
>-----Original Message-----
>From: Turbo Fredriksson [mailto:turbo@bayour.com]
>Sent: Wednesday, June 20, 2001 12:55 PM
>To: Jianlin Chang
>Cc: kerberos@MIT.EDU
>Subject: Re: using Kerberos V5 with network address translation
>firewall?
>
>
>>>>>> "Jianlin" == Jianlin Chang <chang@platform.com> writes:
>
> Jianlin> Does Kerberos V5 work with network address translation
> Jianlin> firewall?
>
>As long as you don't block port 88, yes...
>
> Jianlin> I am interested in the following situation,
> Jianlin> the client and server are behind two separate firewalls.
> Jianlin> The KDC may or may not be behind a third firewall.
>
>If the KDC have a internal, invisible IP address, no.
>
> Jianlin> I guess that client can still obtain tickets properly,
> Jianlin> even if the IP address in the ticket is that of the
> Jianlin> proxy.
>
>The clients will have to be able to reach the KDC.
>
> Jianlin> But what happen to the server? When you try to 'kadmin
> Jianlin> ktadd' on the server to add the server's key to keytab
> Jianlin> file, will it work properly?
>
>As long as you don't block port 750, yes.
>
> Jianlin> Now that client has a ticket, and server knows the key,
> Jianlin> will the client be able to connect to the server
> Jianlin> properly?
>
>The 'client communication' is done on port 88, server communication
>(ie kadmin etc) on port 750.
>
> Jianlin> BTW, during the process of 'kadmin ktadd', when the
> Jianlin> server host contacts KDC, is the key transmitted
> Jianlin> encrypted? If yes, how?
>
>This is shaky ground to me, but I will hazzard a (qualified) guess
>from what i've learnt reading the kerberos RFC's etc.
>_ALL_ communication to/from the KDC are encrypted... Exactly HOW
>this is done can be found (?) on the URL (very technical):
>
>http://www.isi.edu/gost/publications/kerberos-neuman-tso.html
>
>
>--
> Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
> ^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
> / / | | '_ \| | | \ \/ / Debian Certified Linux Developer
> _ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
> \\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden
>
>ammunition Cocaine Panama cryptographic 747 terrorist SDI smuggle FBI
>South Africa AK-47 critical tritium class struggle Delta Force
>[See http://www.aclu.org/echelonwatch/index.html for more about this]
>
