pod <[email protected]> writes: > For example there seems to be a school of thought amongst certain > deployers of Active Directory (a component of which is a kerberos KDC) > that it should not be exposed more widely than strictly necessary. > There are however plenty of deployments of Heimdal and MIT KDCs that > are exposed to the world and, incidentally, derive much advantage by > so doing.
In my experience, common practice in the Active Directory world is to start by using VPN before doing anything else, which of course also works (although I find it more annoying and difficult to use than just using ssh with an externally exposed Kerberos server). Certainly, anything you expose to the world can be attacked. If you allow anyone to hit your Kerberos server, your Kerberos server can be attacked. If you allow anyone to hit your ssh servers with public key authentication enabled, the public key authentication can be attacked. Both ssh and Kerberos KDCs are treated with special care and concern for security issues and generally have a very fast turn-around time for fixes and updates. I personally am comfortable exposing UNIX-based Kerberos KDCs to the Internet. I have no expertise with running Active Directory and cannot comment there. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
