|
Packit |
fd8b60 |
.. _https:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
HTTPS proxy configuration
|
|
Packit |
fd8b60 |
=========================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
In addition to being able to use UDP or TCP to communicate directly
|
|
Packit |
fd8b60 |
with a KDC as is outlined in RFC4120, and with kpasswd services in a
|
|
Packit |
fd8b60 |
similar fashion, the client libraries can attempt to use an HTTPS
|
|
Packit |
fd8b60 |
proxy server to communicate with a KDC or kpasswd service, using the
|
|
Packit |
fd8b60 |
protocol outlined in [MS-KKDCP].
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Communicating with a KDC through an HTTPS proxy allows clients to
|
|
Packit |
fd8b60 |
contact servers when network firewalls might otherwise prevent them
|
|
Packit |
fd8b60 |
from doing so. The use of TLS also encrypts all traffic between the
|
|
Packit |
fd8b60 |
clients and the KDC, preventing observers from conducting password
|
|
Packit |
fd8b60 |
dictionary attacks or from observing the client and server principals
|
|
Packit |
fd8b60 |
being authenticated, at additional computational cost to both clients
|
|
Packit |
fd8b60 |
and servers.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
An HTTPS proxy server is provided as a feature in some versions of
|
|
Packit |
fd8b60 |
Microsoft Windows Server, and a WSGI implementation named `kdcproxy`
|
|
Packit |
fd8b60 |
is available in the python package index.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Configuring the clients
|
|
Packit |
fd8b60 |
-----------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
To use an HTTPS proxy, a client host must trust the CA which issued
|
|
Packit |
fd8b60 |
that proxy's SSL certificate. If that CA's certificate is not in the
|
|
Packit |
fd8b60 |
system-wide default set of trusted certificates, configure the
|
|
Packit |
fd8b60 |
following relation in the client host's :ref:`krb5.conf(5)` file in
|
|
Packit |
fd8b60 |
the appropriate :ref:`realms` subsection::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
http_anchors = FILE:/etc/krb5/cacert.pem
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Adjust the pathname to match the path of the file which contains a
|
|
Packit |
fd8b60 |
copy of the CA's certificate. The `http_anchors` option is documented
|
|
Packit |
fd8b60 |
more fully in :ref:`krb5.conf(5)`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Configure the client to access the KDC and kpasswd service by
|
|
Packit |
fd8b60 |
specifying their locations in its :ref:`krb5.conf(5)` file in the form
|
|
Packit |
fd8b60 |
of HTTPS URLs for the proxy server::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kdc = https://server.fqdn/KdcProxy
|
|
Packit |
fd8b60 |
kpasswd_server = https://server.fqdn/KdcProxy
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If the proxy and client are properly configured, client commands such
|
|
Packit |
fd8b60 |
as ``kinit``, ``kvno``, and ``kpasswd`` should all function normally.
|