Thank you for the information however this technical language is beyond my computer skill. If you don’t mind then may I observer your meeting in these emails ?
Sent from my iPhone > On Sep 11, 2021, at 6:43 PM, kerberos-requ...@mit.edu wrote: > > Send Kerberos mailing list submissions to > kerberos@mit.edu > > To subscribe or unsubscribe via the World Wide Web, visit > https://mailman.mit.edu/mailman/listinfo/kerberos > or, via email, send a message with subject or body 'help' to > kerberos-requ...@mit.edu > > You can reach the person managing the list at > kerberos-ow...@mit.edu > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Kerberos digest..." > > > Today's Topics: > > 1. Re: heimdal http proxy (Charles Hedrick) > 2. Re: heimdal http proxy (Charles Hedrick) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 11 Sep 2021 22:16:36 +0000 > From: Charles Hedrick <hedr...@rutgers.edu> > Subject: Re: heimdal http proxy > To: Rick van Rein <r...@openfortress.nl> > Cc: "kerberos@mit.edu" <kerberos@mit.edu> > Message-ID: <eb1dce86-9fae-4897-89c5-0383095bf...@rutgers.edu> > Content-Type: text/plain; charset="utf-8" > > My use case is a few web applications. Linux user group management, editing > our wiki, and responding to help desk tickets. Generic web apps that I would > like to use at home. We support CAS, but our university CAS server has > disabled SSO. Since I already have a Kerberos ticket to use ssh, it would be > nice to be able to get into the web apps without having to do CAS and Duo > each time. (My Kerberos tickets also require two factor authentication to get > them.) > > We use Kerberos and GSSAPI for other things, but not that I?d need at home. > >> On Sep 11, 2021, at 2:22 PM, Rick van Rein <r...@openfortress.nl> wrote: >> >> ?Hello Charles, >> >>> I???d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac >>> uses Heimdal. >> >> SPNEGO has really a low security level. I am surprised this is considered >> acceptable for a https proxy. >> >> We are working on two better solutions, with software that classifies only >> little over "proof of concept'. >> >> - TLS-KDH to integrate Kerberos authentication with ECDH encryption; >> this combination is in fact Quantum Proof >> >> https://datatracker.ietf.org/doc/html/draft-vanrein-tls-kdh >> >> - HTTP-SASL integrates SASL as a HTTP authentication mechanism, and this >> is meant to allow Kerberos as well. In contrast with SPNEGO, it would >> be possible to require Channel Binding (at least to the webserver _name_). >> >> https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl >> >> >> Take note: These have not even been proposed on this list, simply due to >> lack of time to actively discuss it (been mostly occupied with this and >> related implementations). So at best this could be a future opportunity. >> Still, your usecase may help to propell the work forward, so please share >> if this would be helpful for your situation. You may want to pass this >> by your sysadmin too. >> >> >> Cheers, >> -Rick > > > > ------------------------------ > > Message: 2 > Date: Sat, 11 Sep 2021 22:33:53 +0000 > From: Charles Hedrick <hedr...@rutgers.edu> > Subject: Re: heimdal http proxy > To: Rick van Rein <r...@openfortress.nl> > Cc: "kerberos@mit.edu" <kerberos@mit.edu> > Message-ID: <04863a7d-342e-42b0-b71a-d5816d9c2...@rutgers.edu> > Content-Type: text/plain; charset="utf-8" > > Another use case is getting tickets for Mac users. We have a few users that > ssh into enough different hosts that they want to use kerberized ssh. Unless > we open port 88 to the outside, they have to install Mac ports and use the > MIT kinit. While it seems simple to me, it?s not for real users. If they > could point Heimdal to a proxy I think it would be easier to support. It > won?t work for two factor, since Apples Heimdal kinit doesn?t support that, > but most of users don?t use two factors, just privileged users. > > The easier solution would be for Apple to move to MIT, but I have no way to > make that happen. > >> On Sep 11, 2021, at 2:22 PM, Rick van Rein <r...@openfortress.nl> wrote: >> >> ?Hello Charles, >> >>> I???d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac >>> uses Heimdal. >> >> SPNEGO has really a low security level. I am surprised this is considered >> acceptable for a https proxy. >> >> We are working on two better solutions, with software that classifies only >> little over "proof of concept'. >> >> - TLS-KDH to integrate Kerberos authentication with ECDH encryption; >> this combination is in fact Quantum Proof >> >> https://datatracker.ietf.org/doc/html/draft-vanrein-tls-kdh >> >> - HTTP-SASL integrates SASL as a HTTP authentication mechanism, and this >> is meant to allow Kerberos as well. In contrast with SPNEGO, it would >> be possible to require Channel Binding (at least to the webserver _name_). >> >> https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl >> >> >> Take note: These have not even been proposed on this list, simply due to >> lack of time to actively discuss it (been mostly occupied with this and >> related implementations). So at best this could be a future opportunity. >> Still, your usecase may help to propell the work forward, so please share >> if this would be helpful for your situation. You may want to pass this >> by your sysadmin too. >> >> >> Cheers, >> -Rick > > > > ------------------------------ > > _______________________________________________ > Kerberos mailing list > Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > > End of Kerberos Digest, Vol 224, Issue 3 > **************************************** ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
