[OpenAFS] Re: authenticating using AD servers hidden behind firewall

Jeffrey Altman jaltman@secure-endpoints.com
Sat, 09 Jun 2012 01:47:32 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB07A2D4EEB0705844D129215
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 6/8/2012 9:27 AM, Derek Atkins wrote:
> John Tang Boyland <boyland@pabst.cs.uwm.edu> writes:
>=20
>> Our institution uses "Shibboleth" for off campus authentication,
>> since it keeps the AD (and thus kerberos) servers hidden behind
>> a firewall.  Does anyone know how to have OpenAFS use Shibboleth
>> for authentication?
>=20
> Is there any reason you can't just open port 88 on the firewall to allo=
w
> Kerberos through?  Kerberos *is* a security protocol afterall, there is=

> no real reason to hide your Kerberos server completely behind a
> firewall.
>=20
>> John
>=20
> -derek
>=20

Derek:

I suspect that in this case John is in no position to advise central
campus IT security on how the firewall and active directory deployments
should be managed.  John is simply in the position of managing a
departmental afs cell and needing to work within the constraints of the
surrounding systems.

However, that being said.  Microsoft's advice is to firewall all ports
on an active directory server and rely upon VPNs to access them when
necessary.  In order to authenticate the VPN via Kerberos, GSS IAKERB
has been developed to permit the authentication requests to be proxied
via the GSS acceptor.

Even outside the Microsoft world, it is becoming more common for large
enterprises to only expose a subset of the KDB contents outside the
firewall.  This may be done to ensure that certain principal names are
not visible or to restrict the set of available keys.

Jeffrey Altman


--------------enigB07A2D4EEB0705844D129215
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJP0uN2AAoJENxm1CNJffh4l54H/RwdTJXVEGs1lxKzxDweFKd8
hXJSJMSWYpuMiD4MLxOKnqvnsji8XeaYVnUplwda/9XZ6qsJiJKlIzjSozhvMM8R
n5/LxhJOi3J3vbjmEcuR9Y80OcMb4U1SABvgAAp2ktTyBbrvsUPdJ9aZpVWkz8HA
shMWy0E305SqxoxTDHvpGv4tl0S6E+guNGtzUNw5l4KkQFuAAyui/6BV3s1VKY8u
hSXpMrooB0yPW71FKdAKuZtMFFARavSdj8gbFEGgh5uQnzQTfxv8SZbpylH9ot/P
id+EkwX0nwgORWahLHpAbXnqLkii68fCdYIkSPFwTzfd2PPPk3wmc445JOKEmqc=
=Yzhk
-----END PGP SIGNATURE-----

--------------enigB07A2D4EEB0705844D129215--