[38995] in Kerberos
Re: heimdal http proxy
daemon@ATHENA.MIT.EDU (Grant Taylor)
Wed Sep 29 15:44:27 2021
To: kerberos@mit.edu
From: Grant Taylor <gtaylor@tnetconsulting.net>
Message-ID: <b4f28e2f-40f6-6ab2-2caf-7b2d901b9ea8@spamtrap.tnetconsulting.net>
Date: Wed, 29 Sep 2021 13:41:31 -0600
MIME-Version: 1.0
In-Reply-To: <B2F885AD-DCA2-4D8D-A3D1-85084F4FB1BA@cs.rutgers.edu>
Content-Type: multipart/mixed; boundary="===============1065097574201577102=="
Errors-To: kerberos-bounces@mit.edu
--===============1065097574201577102==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="------------ms080703060403000903040007"
--------------ms080703060403000903040007
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
On 9/28/21 2:31 PM, Charles Hedrick wrote:
> If all the proxy is doing is forwarding content, it might work. But=20
> in that case it=E2=80=99s not obvious how much security we=E2=80=99re g=
aining=20
> by the proxy. It may be that just enabling access directly to port=20
> 88 would be as good. (I control the network, mostly.) Any sense how=20
> risky it is to expose port 88 to the internet?
I was assuming that the proxy would have it's own authentication=20
requirements. Thus the proxy would act somewhat like a bouncer in front =
of the KDC.
Somewhat like putting the KDC behind a VPN or SPI w/ port knocking. --=20
Allow people that have some modicum of knowledge access to the KDC while =
preventing any Joe Random on the Internet from accessing the KDC.
--=20
Grant. . . .
unix || die
--------------ms080703060403000903040007
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CzkwggUhMIIECaADAgECAhA/wgXwQl9mDHSg5enGHBeSMA0GCSqGSIb3DQEBCwUAMIGWMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENs
aWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTIwMTExNjAwMDAw
MFoXDTIxMTExNjIzNTk1OVowKzEpMCcGCSqGSIb3DQEJARYaZ3RheWxvckB0bmV0Y29uc3Vs
dGluZy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM6cGNMlSUFPM3zVw+
VgSslz2QRtMj+FerQ0DpmgbhUzqm5hMRe0hMA2OBf41HDAeOV0RKcLx2+HozHlyQST2xagOX
xiv91aEXezh8bEBfnOI564Ej/JfusomfoM7ByVXcLp3K3fOssHos6IXiAD6WT+jcRs7Cg+Gl
bYyoDLDLXw4i/N+YRcp3JrwT+4g/i//wAea1qTEd+ZnfcqtvCHaiJrr16xEpzuraLcmH5qtN
/c+5kkRN3zpJvQvPX7fMBdxiSjb/cb070DC1RIO+THkhQqJ4bxHhrwcvC5RME0iwnSo52a/i
FSNzciw/SM37F5tMTjDs+F6iUT85K2IWyGkpAgMBAAGjggHTMIIBzzAfBgNVHSMEGDAWgBQJ
wPL8C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQU9SQ1EWwdWU0yBrPcbiR81rwNThUwDgYD
VR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUF
BwMCMEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8v
c2VjdGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5j
b20vU2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmww
gYoGCCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9T
ZWN0aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggr
BgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wJQYDVR0RBB4wHIEaZ3RheWxvckB0
bmV0Y29uc3VsdGluZy5uZXQwDQYJKoZIhvcNAQELBQADggEBABWLZrz0NricNKP3jS03B7lH
KNfBetFHWlaarCghIjhyA3yoXizPMP1wsY+ARMT22BKNVmLlP1CvDoLuEQbThvT5hRa7HPc2
2yVX6MkgSZByW2xrkhKGAIdtl+mELX27GZM+xe+k84OO1hA0Egyha2gg0UWlAiTGkIYjNLg0
6zg1QP7Bj4P/19hbi8Z9FFu38CztkgKZPSKMV3kPxZopa/mOWOQXxHcs03Ph/qnwj5HfkeWI
WE7TARmmU7w8AoxEONC1tB6bsdX3M+4YVbgwgiihhiVGflHfGI4bgKkuN4sqesRnX8C9mvv5
o7dYJe4kKuv0ZeIj8x1Hh2PGvn7GuRgwggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZP
MA0GCSqGSIb3DQEBDAUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEU
MBIGA1UEBxMLSmVyc2V5IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEu
MCwGA1UEAxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xODEx
MDIwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExp
bWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQg
U2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyjztlApB
/975Rrno1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUfItMltrMa
XqcESJuK8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeWQcpG
EGFUUd0kN+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YB
rf24k5Ee1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0
PewDch/8kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J
4K0AMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/
aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRo
b3JpdHkuY3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2Vy
dHJ1c3QuY29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRw
Oi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVt
MnFojADdF9d6HBA4kMjjsb0XMZHztuOCtKF+xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1G
wmIPgou74TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9IHk96VwsacIvBF8JfqIs+8aWH2PfSUrN
xP6Ys7U0sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7kkmka2RQb9d90nmNHdgKrwfQ49mQ
2hWQNDkJJIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1eoYV7lNwNBKpeHdNuO6Aacb5
33JlfeUHxvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4KxaYIhvqPqUMWqRdWyn7
crItNkZeroXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL1Ygz3SBsyECa0waq
4hOf/Z85F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQOZ1YL5ezMTX0
ZSLwrymUE0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qodx/PL+5jR
87myx5uYdBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i5Zgt
wCLXgAIe5W8mybM2JzGCBDIwggQuAgEBMIGrMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMS
R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdv
IExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBh
bmQgU2VjdXJlIEVtYWlsIENBAhA/wgXwQl9mDHSg5enGHBeSMA0GCWCGSAFlAwQCAQUAoIIC
VzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTA5MjkxOTQx
MzFaMC8GCSqGSIb3DQEJBDEiBCAjmqqZ2wZNymr51RcnkVVPkKZOCGx44HhTmylcGa0bqTBs
BgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcw
DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo
MIG8BgkrBgEEAYI3EAQxga4wgaswgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVy
IE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRl
ZDE+MDwGA1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1
cmUgRW1haWwgQ0ECED/CBfBCX2YMdKDl6cYcF5Iwgb4GCyqGSIb3DQEJEAILMYGuoIGrMIGW
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT
YWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNB
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhA/wgXwQl9mDHSg
5enGHBeSMA0GCSqGSIb3DQEBAQUABIIBADxApupPwutEUP90MD68NmCDSAjdV6aSLYMv2NVr
twT4d8Pg7L7G/vIURCdsH0oRKifnbkXABxeSnojwjSyzqthF6nBzNc8uQn7ArAsv9TcL4SVS
4cJUE3KQqnWB/ArFCVoquHt890ucu7QQpt0SoNWWIWsTiwrBI4540qxWFVivfv/L4yfwHI6B
8inX+dee67+d/K0AWwjYCF++gV7U9mo206disRD8UozP4ASpgr53oj5g3ZvKQ/EUp+5jBQpv
5TtdYgtPmQ8J7s8J7JQsOYUmVKsy1JM8VAWRuDXpPr9BVqa9/FgXPU3Mle8ziVIwREMdg7Dg
wUJ7C5l3UjHYDFQAAAAAAAA=
--------------ms080703060403000903040007--
--===============1065097574201577102==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1065097574201577102==--
