Thank you, I will put this on test. This is well tested: https://github.com/latchset/kdcproxy On Wed, 2024-03-13 at 17:32 +0100, Yoann Gini wrote: >
> > Le 13 mars 2024 à 17:21, Ken Hornstein a écrit : > > > > It does occur to me that maybe if you have different KDC hostnames but > > the same IP address you could use TLS SNI or hostname routing which > > you indicated you already use and maybe that would be simpler? That > > presumes the client implementations set the SNI field (I see that it > > does send a "Host" header, and it looks like MIT Kerberos does set the > > SNI hostname). > > This is what I have in mind looking at the documentation of kkdcp (reading as exchanging here). Using SNI to select the KDC. > > I will give it a try, it looks like the option I need here. > > And yes, all of those complexities would have been avoided by network teams just supporting IPv6 and not blocking random ports for no reasons… >>> One thing that leaps out at me is that by default a lot of Kerberos >>> messages default to UDP transport so that might be a bit trickier to >>> proxy them (but not impossible). https://www.vpnpalvelut.com/ >> Yes, that's another aspect of the issue, our expectations so far are on >> support for TCP only clients. Since it's for mobile users that we are >> looking to have this support, it shouldn't be an issue. > > I would caution you that I think that is something you're going to have > to grapple with much sooner than you think. > > A long time ago we had developed a small Kerberos proxy that forwarded > on Kerberos messages by prepending the source IP address/port to the > UDP message (our KDC at the time was modified to recognize this > and sent the prepended bytes back to the proxy so it could send it to > the correct originator). ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
