Talking to oneself is not all that uncommon nor considered impolite nor
crazy in many countries. So I thought I'd do that.... Just in case anyone
is interested.
At 04:34 PM 4/8/96 EDT, Adam Safier wrote:
>Can anyone relate war stories, gotchas and victories re: Cross Realm
>Kerberos or DCE across firewalls and to another Kerberized realm?
>
>I want to make sure my understanding of Kerberos traffic isn't twisted.
>Please make corrections if I'm missing things.
I am correcting myself.
>We need to talk to a different organization running Kerberos (actually some
>are DCE - I already heard Kerberos and DCE are not 100% compatible but we
>all agree to support the lowest common denominator.) so we need to do cross
>realm authentication, ticket granting and encryption all working across a
>firewall.
Actually a kerberos vendor just informed me that the IP address of the
delivery packet is NOT checked against the !optional! IP address included as
part of the user identifier. We need some clarification from experts but
this does not look like it would prevent NAT.
However, I thought of another NAT killer. When a client inside the realm
contacts a TGS in the other realm, I think the TGS will address the return
packet to the firewall. How does the firewall know to which internal client
to forward the returned UDP packet (containing the server ticket)?
The rest is deleted since I have no additional comments on it. for anyone
interested, RFC 1510 deals with Kerberos and there is another RFC (I don't
know the number) that deals with a GSS API for security program calls.
Kerberos comes from MIT but Cygnus (www.cynus.com) also distributes a
popular (at NASA) version of it. I'm trying to read the RFC..zzz.zzz
Adam Safier
CSC-SED-Infosec
asafier @
csc .
com
"If you show me yours, I still won't show you mine."
Expressed opinions are my own and might not be shared by my employer or
anyone else.
|
|
