Re: Looking for a "Kerberos Router"?

2024-03-13 Thread Marco Rebhan via Kerberos 
> On 13. Mar 2024, at 12:48, Yoann Gini  wrote:
> 
> Which allow us to have end to end TLS communication between our customers and 
> their tenant. Which is mandatory for our mTLS. But without consuming one 
> public IP per tenant to keep cost under control.
> 
> Here with Kerberos, I'm wondering how we can achieve something equivalent, 
> using a shared IP for multiple Kerberos realms and having the incoming 
> requests routed to the appropriate backend by some kind of inspection.

Set it up with a publicly routable IPv6 network, with one IP per tenant. You’re 
not going to run out of a /64 anytime soon, so the cost should stay constant.

-Marco

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: About the purpose of client host principals for NFS

2023-10-07 Thread Marco Rebhan via Kerberos 
On Saturday, 7 October 2023 22:15:32 CEST Russ Allbery wrote:
> [..]

That clears up a lot, thank you so much!

-Marco


signature.asc
Description: This is a digitally signed message part.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

About the purpose of client host principals for NFS

2023-10-07 Thread Marco Rebhan via Kerberos 
Hey list,

I'm currently setting up Kerberos for my home network. The main motivation was 
to get secure NFS, and as such I've looked at various guides on how to set it 
up for that. They (for example, the Arch Wiki[1]) pretty much all tell you to 
create principals for the host and NFS service for both the NFS server and 
clients that want to connect.

However, after setting up the NFS server and my Linux PC like this, I tested 
the whole setup with my MacBook which doesn't have a host principal or any 
other krb5 configuration yet (it can find the KDC due to DNS), and to my 
surprise it can both obtain a TGT for my user and afterwards also mount the 
NFS share.

What purpose does the host principal for clients serve here? I assumed it 
would be either used to authenticate hosts before they're allowed to obtain a 
TGT, or authenticate for mounting NFS shares, but clearly that's not the case 
since it works without. Is it only used so that the network share can be 
mounted without a user TGT?

Thanks,
Marco

[1]: https://wiki.archlinux.org/title/Kerberos#NFS_security

signature.asc
Description: This is a digitally signed message part.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos