Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

"Your butt is mine." -- Michael Jackson, Bad

devel / comp.protocols.kerberos / Looking for a "Kerberos Router"?

SubjectAuthor
o Looking for a "Kerberos Router"?Jonas

1
Looking for a "Kerberos Router"?

<mailman.71.1710940421.2322.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=523&group=comp.protocols.kerberos#523

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!news.quux.org!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jonas.repo@protonmail.com (Jonas)
Newsgroups: comp.protocols.kerberos
Subject: Looking for a "Kerberos Router"?
Date: Wed, 20 Mar 2024 13:13:27 +0000
Organization: TNet Consulting
Lines: 33
Message-ID: <mailman.71.1710940421.2322.kerberos@mit.edu>
References: <Q9tuM1iydPxquBNHTDuxYmzM4dD69K4ZTn5u1hfIbqDaqiCXnIXp1grUf3nCB_gSBX_vrsao0uPqNt417afv1I8vTqiskme0B1JKgOWOcJI=@protonmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="16321"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: "kerberos@mit.edu" <kerberos@mit.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=ApGlHjex;
dkim=pass (2048-bit key,
unprotected) header.d=protonmail.com header.i=@protonmail.com
header.a=rsa-sha256 header.s=protonmail3 header.b=bAww4loq
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=kER1oMADgf9FtldZedJVkA6fsXGfgZC13lTJAhwmie1Pk8DxZVUdg+osULjdNlIcoIi1ODOCMwjN0kltMrrL6+5Ar81GgTHKln91kuwtfh+cdsFikrx97e5QqMzOGQS+s/oEDoE1h7h3i3bng4/B8NNBCIhAVmJRcSaiKCJOhQs5911/LvZNzuNTzrztxEelQpeu7jpmqmNtKPFhirWaz3tybOuxZrL6erR79LFC2C6uNINuRxhHxTGbvUImA1KcLtigOXx3ugE3pK5h6HwTBvvWfGLwl4WJ39zKgMNPTbyuOmfUe3BXHc0oG6EDJ7m1J/OyZhxb8iZYXDznh7Z/Rw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=nKay911QXS2ULuM5N6HknG25VfBYEo5sC4vRHZimau0=;
b=LdhFvsfJCxnhxWd5yJyl3RmVqOBm5PPmsxFNpqBiXgcj2Sy9YuJ/NeZDXcJbPeQoX25nzQ4zBGS58E+GfVpQI07sF5AI/8MCT/bsYhUrJC8BQeM1Z6GM6yjNybAjEwwlpo2W4WCG+HhtRaRsTzHa1pUlvnsqnfb3HEVi0EbzoMCx2PUY4EfHVt/mku4bM7ImU4Xne8W4+U3cQUy4grh34ivU15oMa2Vid3iq8+sTmlPMKDRtfXPKK938GF3+VnkcC3YHkSK4+g7aoaChe5q8to2kdTP7nsepeCoVes+cbmGymvoGEf/BUkunOuxJhX3Bi5YckR2GcFuyChRHfoc89g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
185.70.40.138) smtp.rcpttodomain=mit.edu smtp.mailfrom=protonmail.com;
dmarc=pass (p=quarantine sp=quarantine pct=100) action=none
header.from=protonmail.com; dkim=pass (signature was verified)
header.d=protonmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=nKay911QXS2ULuM5N6HknG25VfBYEo5sC4vRHZimau0=;
b=ApGlHjexhlGJtHmEfRS/N7qsF5i9p5HkQYjOTn3KYE1EXVbVB9Nu/KlSPhTfeyyAXTM2ZrF8VW+tYwbxUdwL9rbn6mbXYLEi4lZT8MlAlhTUYRRkhEYcB2mLPuXLGlaG9Ovy0V1mIA2zvjRqYt1mK8p842kHo8HK8M+kVucsfwQ=
Authentication-Results: spf=pass (sender IP is 185.70.40.138)
smtp.mailfrom=protonmail.com; dkim=pass (signature was verified)
header.d=protonmail.com;dmarc=pass action=none header.from=protonmail.com;
Received-SPF: Pass (protection.outlook.com: domain of protonmail.com
designates 185.70.40.138 as permitted sender)
receiver=protection.outlook.com; client-ip=185.70.40.138;
helo=mail-40138.protonmail.ch; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=protonmail3; t=1710940417; x=1711199617;
bh=nKay911QXS2ULuM5N6HknG25VfBYEo5sC4vRHZimau0=;
h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
b=bAww4loqTr26ixnQD/VMPtV0KCkQ5FlGjAVb1WOv7REGCwqQFWtiZ9hjB4UJ5IV+/
1w2hFITTST7rNAFT3YVB9ItFphGvmmnh5p/CobnEJ1I2BQ+TBznF2RW9oGoP+CwM45
/KjZXNjyDcTsd3V4Mo2XyoLVZfiAq8D9mY6Ynde59Dp0Mg26fiuhpOCL88KT4wEq2h
HzS73bCWJ5idKdtSRJIFTyvWxG6Uf/OAkkKtpECFEUJMuxcY2/iRVXCQEhrmZxQVBp
Cji1ZYyyRcqJZoQ0oXmpq4wkExQc17IHUcxMSb+5VdBinvdoUc6j4RDU7vlAhOyJ2P
YR/7scOfcO+Jg==
Feedback-ID: 103314950:user:proton
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SN1PEPF000252A3:EE_|SA1PR01MB7310:EE_
X-MS-Office365-Filtering-Correlation-Id: f07ffba7-3c7d-43c1-9082-08dc48df8e98
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: gTsAWjjZpGn2nRNkYHClMyFR52+QM8r4Tu0SiBQLIZP8y84PqC0kw0FsWkRV3c5/Pjxy4z9cuPTgrUrVmdeocvtPTA9jBr4sp9jL04DBg+72oEYC+PlDp39gl+adb/HUq61v6jaNu67JuSf/h+caMkrMGQq72l3x0PSlMOrbFAxEjziUD1TljjqW/CBD9IKJNWnJ7ZGom+4oiSQRMVS4iWzdLvuz0D6QBnCht3w0bavz4JYG2uthpLgQWjdwRP6xJ0OwfT70ah6N+S/a3eJGGp4WFhuVmSKDvZvuHcuZy5fdKMK9GqcGKAO+Uo0Piy2XNwPMhsu4cVOj4s3W52DtmAIoU4LnRjNOOBxQG2iDbg7DWHLDN7WhDiNmSVnxVfapDnHa212XB3Y6E/PNLlPyAC810rYqUh+yXXX/6zO8/D5j+YNQ9pgypHdE9F79uDp/8rYoEB3zbI/WT/j0x3DUq0iyO0mJwqIizLHZEVjj0bohKKznWQBEiK4Ds16VJJWsV5D4K4cjChZ5TcoZz23r9UQo7GAWl8Kk7QT1K2M3MiO+D+RtvyotaPPr6tXhVXVFU/I9GR03Ujqu0+8S4aHYEt9Xl0ueNG8Lr5cErboTTblE2jSFnMn9QoB138haTiKhZAdldEWit40u1eV2GsZfFI2E1RunARrZnv1TheMTmibdvAaYtUvl4QCc9w4/favP
X-Forefront-Antispam-Report: CIP:185.70.40.138; CTRY:CH; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-40138.protonmail.ch; PTR:mail-40138.protonmail.ch;
CAT:NONE; SFS:(13230031)(376005)(48200799009)(61400799018); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Mar 2024 13:13:38.4225 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f07ffba7-3c7d-43c1-9082-08dc48df8e98
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF000252A3.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR01MB7310
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <Q9tuM1iydPxquBNHTDuxYmzM4dD69K4ZTn5u1hfIbqDaqiCXnIXp1grUf3nCB_gSBX_vrsao0uPqNt417afv1I8vTqiskme0B1JKgOWOcJI=@protonmail.com>
 by: Jonas - Wed, 20 Mar 2024 13:13 UTC

Thank you, I will put this on test.

This is well tested:
https://github.com/latchset/kdcproxy
On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote:
>

>

> Le 13 mars 2024 à 17:21, Ken Hornstein a écrit :

>

>

>

> It does occur to me that maybe if you have different KDC hostnames but

>

> the same IP address you could use TLS SNI or hostname routing which

>

> you indicated you already use and maybe that would be simpler? That

>

> presumes the client implementations set the SNI field (I see that it

>

> does send a "Host" header, and it looks like MIT Kerberos does set the

>

> SNI hostname).

>

>

This is what I have in mind looking at the documentation of kkdcp (reading as exchanging here). Using SNI to select the KDC.

>

>

I will give it a try, it looks like the option I need here.

>

>

And yes, all of those complexities would have been avoided by network teams just supporting IPv6 and not blocking random ports for no reasons…

>>>

One thing that leaps out at me is that by default a lot of Kerberos

>>>

messages default to UDP transport so that might be a bit trickier to

>>>

proxy them (but not impossible).
https://www.vpnpalvelut.com/
>>

Yes, that's another aspect of the issue, our expectations so far are on

>>

support for TCP only clients. Since it's for mobile users that we are

>>

looking to have this support, it shouldn't be an issue.

>

>

I would caution you that I think that is something you're going to have

>

to grapple with much sooner than you think.

>

>

A long time ago we had developed a small Kerberos proxy that forwarded

>

on Kerberos messages by prepending the source IP address/port to the

>

UDP message (our KDC at the time was modified to recognize this

>

and sent the prepended bytes back to the proxy so it could send it to

>

the correct originator).

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor