"Fossies" - the Fresh Open Source Software Archive

Member "krb5-1.18/doc/admin/https.rst" (12 Feb 2020, 1958 Bytes) of package /linux/misc/krb5-1.18.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format (assuming markdown format). Alternatively you can here view or download the uninterpreted source code file. A member file download can also be achieved by clicking within a package contents listing on the according byte size field.

HTTPS proxy configuration

In addition to being able to use UDP or TCP to communicate directly with a KDC as is outlined in RFC4120, and with kpasswd services in a similar fashion, the client libraries can attempt to use an HTTPS proxy server to communicate with a KDC or kpasswd service, using the protocol outlined in [MS-KKDCP].

Communicating with a KDC through an HTTPS proxy allows clients to contact servers when network firewalls might otherwise prevent them from doing so. The use of TLS also encrypts all traffic between the clients and the KDC, preventing observers from conducting password dictionary attacks or from observing the client and server principals being authenticated, at additional computational cost to both clients and servers.

An HTTPS proxy server is provided as a feature in some versions of Microsoft Windows Server, and a WSGI implementation named kdcproxy is available in the python package index.

Configuring the clients

To use an HTTPS proxy, a client host must trust the CA which issued that proxy's SSL certificate. If that CA's certificate is not in the system-wide default set of trusted certificates, configure the following relation in the client host's krb5.conf(5) file in the appropriate realms subsection:

http_anchors = FILE:/etc/krb5/cacert.pem

Adjust the pathname to match the path of the file which contains a copy of the CA's certificate. The http_anchors option is documented more fully in krb5.conf(5).

Configure the client to access the KDC and kpasswd service by specifying their locations in its krb5.conf(5) file in the form of HTTPS URLs for the proxy server:

kdc = https://server.fqdn/KdcProxy
kpasswd_server = https://server.fqdn/KdcProxy

If the proxy and client are properly configured, client commands such as kinit, kvno, and kpasswd should all function normally.