[Freeipa-users] kdc on the internet
Simo Sorce
simo at redhat.com
Fri Jun 29 14:27:00 UTC 2012
On Fri, 2012-06-29 at 13:16 +0200, Natxo Asenjo wrote:
> hi,
>
> Is it 'safe' to use ipa on the internet?
>
> My feeling is its, I mean, kerberos is meant for untrusted networks.
That is what it has been built for.
> What are your thoughts about this?
I think you need to asses your threat model and decide if you are
comfortable with it. You may want to have some way to analyze traffic
patterns to at least detect potential attacks for better peace of mind.
> What ports should of the kdc *not* be accessible?
You may decide to not expose the admin interface, but that would also
prevent password changes, if that's a limitation you can live with then
you could decide to expose only port 88.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list