Kerberos and Firewalls

Most datacenters block non-standard ports at their firewalls. This includes ports for lesser used protocols. The Kerberos Key Distribution Center (KDC) listens on port 88 (TCP and UDP). Which means that, practically speaking, a machine cannot get a ticket over the public internet. Last summer, Robby Harwood interned here at Red Hat. Together, we put together a plan to address this.

It turns out that the fine folks at Microsoft tripped over this very problem long ago, and came up with an approach: use HTTP to talk to a proxy to the KDC. Their protocol, called KKDCPP, was written up in RFC form on their site. It makes sense that the MIT Kerberos approach should interoperate with the Microsoft product.

The problem with interns is that they have a nasty habit of actually going back to finish their degree. In this case, we had a working prototype by the end of the summer, but still had the long haul to getting it merged into the MIT upstream. Fortunately, we have people here at Red Hat that can make these Herculean labors look easy. In this case, Nalin Dahyabhai spent a good chunk of time these past several months dealing with the refactorings and other changes necessary to get it in.

It merged a couple nights ago. I did the happy dance the next morning.

Kerberos across the public internet still has a long path. The code which merged needs to make it into the next Kerberos release, which needs to make it into the major Linux distributions. Until that happens, we can’t rely on the tools being in place, but we can prepare for it.

Even once it is deployed, there will be issues:

  1. How do you find the right KDC for a given site?
  2. How do you configure your system for a new KDC without giving away root privilege?
  3. How do you tell your browser that you don’t have a principal for a Kerberized site, and to use a different mechanism?

Robbies Development setup is documented here:

So: here’s what you can plan for: there will be a new release of MIT Kerberos. The Current plan is for a release in the fall timeframe, and we are hoping to get that version into Fedora.next. No promises, as this involves synchronizing across two distinct organizations, but it looks promising. We’ll make sure the Debian maintainers are aware as well, and try to make sure the corresponding releases have it. Meanwhile, look for notes on getting the corresponding proxy set up for FreeIPA and other MIT Kerberos server implementations. The Microsoft Proxy server is part of the terminal server product, so if you are a Microsoft shop, that is the path for you.

I’m pretty excited about this. Kerberos has the potential to vastly improve security in the public web.

UPDATE:
Nathaniel McCallum’s implementation of the KDC Proxy

One thought on “Kerberos and Firewalls

Leave a Reply

Your email address will not be published. Required fields are marked *