Sorry to focus in on just a single offhand remark, but ... On Fri, 28 Nov 2014, Frank Cusack wrote:
> implemented/supported/documented. It would require the KDC to be out in > the open (to get the ticket used for the VPN auth) and most folks aren't > going to do that. ... can you say more about *why* most folks aren't going to do that? We have our KDC open to the public here at MIT, and the Kerberos protocol is explicitly designed to be usable over public (untrusted) networks. Now, if users are using weak passwords, this can cause problems, but there are technologies to work around those as well, such as FAST tunnels or an https proxy, or even passwordless authentication such as via PKINIT. We would really like to understand better (and hopefully counter) this idea that KDCs should not be exposed to the public internet. Thanks, Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
