On 6/8/2012 9:27 AM, Derek Atkins wrote: > John Tang Boyland <[email protected]> writes: > >> Our institution uses "Shibboleth" for off campus authentication, >> since it keeps the AD (and thus kerberos) servers hidden behind >> a firewall. Does anyone know how to have OpenAFS use Shibboleth >> for authentication? > > Is there any reason you can't just open port 88 on the firewall to allow > Kerberos through? Kerberos *is* a security protocol afterall, there is > no real reason to hide your Kerberos server completely behind a > firewall. > >> John > > -derek >
Derek: I suspect that in this case John is in no position to advise central campus IT security on how the firewall and active directory deployments should be managed. John is simply in the position of managing a departmental afs cell and needing to work within the constraints of the surrounding systems. However, that being said. Microsoft's advice is to firewall all ports on an active directory server and rely upon VPNs to access them when necessary. In order to authenticate the VPN via Kerberos, GSS IAKERB has been developed to permit the authentication requests to be proxied via the GSS acceptor. Even outside the Microsoft world, it is becoming more common for large enterprises to only expose a subset of the KDB contents outside the firewall. This may be done to ensure that certain principal names are not visible or to restrict the set of available keys. Jeffrey Altman
signature.asc
Description: OpenPGP digital signature
