[OpenAFS] Re: authenticating using AD servers hidden behind firewall

Jeffrey Altman jaltman@secure-endpoints.com
Sat, 09 Jun 2012 01:47:32 -0400

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 6/8/2012 9:27 AM, Derek Atkins wrote:
> John Tang Boyland <boyland@pabst.cs.uwm.edu> writes:
>> Our institution uses "Shibboleth" for off campus authentication,
>> since it keeps the AD (and thus kerberos) servers hidden behind
>> a firewall.  Does anyone know how to have OpenAFS use Shibboleth
>> for authentication?
> Is there any reason you can't just open port 88 on the firewall to allo=
> Kerberos through?  Kerberos *is* a security protocol afterall, there is=

> no real reason to hide your Kerberos server completely behind a
> firewall.
>> John
> -derek


I suspect that in this case John is in no position to advise central
campus IT security on how the firewall and active directory deployments
should be managed.  John is simply in the position of managing a
departmental afs cell and needing to work within the constraints of the
surrounding systems.

However, that being said.  Microsoft's advice is to firewall all ports
on an active directory server and rely upon VPNs to access them when
necessary.  In order to authenticate the VPN via Kerberos, GSS IAKERB
has been developed to permit the authentication requests to be proxied
via the GSS acceptor.

Even outside the Microsoft world, it is becoming more common for large
enterprises to only expose a subset of the KDB contents outside the
firewall.  This may be done to ensure that certain principal names are
not visible or to restrict the set of available keys.

Jeffrey Altman

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)