[14670] in Kerberos
Re: using Kerberos V5 with network address translation firewall?
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Fri Jul 13 10:27:56 2001
Date: Fri, 13 Jul 2001 10:24:12 EDT
From: Jeffrey Altman <jaltman@columbia.edu>
Reply-To: jaltman@columbia.edu
To: joda@pdc.kth.se (Johan Danielsson)
Cc: kerberos@MIT.EDU
In-Reply-To: Your message of 13 Jul 2001 12:01:12 +0200
Message-ID: <CMM.0.90.4.995034252.jaltman@watsun.cc.columbia.edu>
> jaltman@watsun.cc.columbia.edu (Jeffrey Altman) writes:
>
> > If you can describe a good way to write the rule that says, replace
> > address FOO with address NAT we can certainly make the change in the code.
> > The problem in most cases is that there is no good way to know what
> > the NAT address is in the first place.
>
> I sometimes long for a "dear prof. kdc, please give me my correct
> address, since I have no clue" option to the kdc, much like it worked
> in v4.
>
> /Johan
>
But that approach does not work either in multi-homed environments
because the IP address used to connect to the KDC is not necessary
the same one that is used to connect to the service. Nor is the KDC
and the service necessary on the in same sub-cloud. If they are on
different sides of the NAT/Firewall you still have the same problem.
So the often time suggested KDC solution is no better.
- Jeffrey Altman
Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support@kermit-project.org OpenSSL. SSH soon to follow.
