On Fri, 2012-06-29 at 13:16 +0200, Natxo Asenjo wrote: > hi, > > Is it 'safe' to use ipa on the internet? > > My feeling is its, I mean, kerberos is meant for untrusted networks.
That is what it has been built for. > What are your thoughts about this? I think you need to asses your threat model and decide if you are comfortable with it. You may want to have some way to analyze traffic patterns to at least detect potential attacks for better peace of mind. > What ports should of the kdc *not* be accessible? You may decide to not expose the admin interface, but that would also prevent password changes, if that's a limitation you can live with then you could decide to expose only port 88. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users