--On Monday, August 21, 2006 1:27 PM +0400 ArkanoiD wrote:

> I was talking about PKI in general and Kerberos as yet another
> infrastructure thing.
>> Kerberos V is certainly very alive for authentication. My expectation
>> would be _minimally_ to support it as an authentication back-end.
>> Kerberized logins to the firewall itself (via ssh GSSAPI, ktelnet, or
>> whatever) would also be a very good idea, especially if you support
>> krb5 principle ACLs (e.g. gaspac/admin@EXAMPLE.COM may log in with
>> admin privs). Supporting krshd pass-through would be nice (it's
>> annoyingly just slightly different from rshd, as I recall from my
>> fwtk/Gauntlet days).

> Well, what is the desired deployment scenario? Where do i place kdc?

You don't. You talk to our existing AD servers or UN*X KDCs. The firewall
needs to be able to get tickets (for password verification - just think of
the kdc as a RADIUS server, except secure), and have a keytab installed
(for ticket-based logins, if such things exist). For krsh proxying, you
don't talk to the KDC at all.

firewall-wizards mailing list