1*7f2fe78bSCy Schubert.. _https: 2*7f2fe78bSCy Schubert 3*7f2fe78bSCy SchubertHTTPS proxy configuration 4*7f2fe78bSCy Schubert========================= 5*7f2fe78bSCy Schubert 6*7f2fe78bSCy SchubertIn addition to being able to use UDP or TCP to communicate directly 7*7f2fe78bSCy Schubertwith a KDC as is outlined in RFC4120, and with kpasswd services in a 8*7f2fe78bSCy Schubertsimilar fashion, the client libraries can attempt to use an HTTPS 9*7f2fe78bSCy Schubertproxy server to communicate with a KDC or kpasswd service, using the 10*7f2fe78bSCy Schubertprotocol outlined in [MS-KKDCP]. 11*7f2fe78bSCy Schubert 12*7f2fe78bSCy SchubertCommunicating with a KDC through an HTTPS proxy allows clients to 13*7f2fe78bSCy Schubertcontact servers when network firewalls might otherwise prevent them 14*7f2fe78bSCy Schubertfrom doing so. The use of TLS also encrypts all traffic between the 15*7f2fe78bSCy Schubertclients and the KDC, preventing observers from conducting password 16*7f2fe78bSCy Schubertdictionary attacks or from observing the client and server principals 17*7f2fe78bSCy Schubertbeing authenticated, at additional computational cost to both clients 18*7f2fe78bSCy Schubertand servers. 19*7f2fe78bSCy Schubert 20*7f2fe78bSCy SchubertAn HTTPS proxy server is provided as a feature in some versions of 21*7f2fe78bSCy SchubertMicrosoft Windows Server, and a WSGI implementation named `kdcproxy` 22*7f2fe78bSCy Schubertis available in the python package index. 23*7f2fe78bSCy Schubert 24*7f2fe78bSCy Schubert 25*7f2fe78bSCy SchubertConfiguring the clients 26*7f2fe78bSCy Schubert----------------------- 27*7f2fe78bSCy Schubert 28*7f2fe78bSCy SchubertTo use an HTTPS proxy, a client host must trust the CA which issued 29*7f2fe78bSCy Schubertthat proxy's SSL certificate. If that CA's certificate is not in the 30*7f2fe78bSCy Schubertsystem-wide default set of trusted certificates, configure the 31*7f2fe78bSCy Schubertfollowing relation in the client host's :ref:`krb5.conf(5)` file in 32*7f2fe78bSCy Schubertthe appropriate :ref:`realms` subsection:: 33*7f2fe78bSCy Schubert 34*7f2fe78bSCy Schubert http_anchors = FILE:/etc/krb5/cacert.pem 35*7f2fe78bSCy Schubert 36*7f2fe78bSCy SchubertAdjust the pathname to match the path of the file which contains a 37*7f2fe78bSCy Schubertcopy of the CA's certificate. The `http_anchors` option is documented 38*7f2fe78bSCy Schubertmore fully in :ref:`krb5.conf(5)`. 39*7f2fe78bSCy Schubert 40*7f2fe78bSCy SchubertConfigure the client to access the KDC and kpasswd service by 41*7f2fe78bSCy Schubertspecifying their locations in its :ref:`krb5.conf(5)` file in the form 42*7f2fe78bSCy Schubertof HTTPS URLs for the proxy server:: 43*7f2fe78bSCy Schubert 44*7f2fe78bSCy Schubert kdc = https://server.fqdn/KdcProxy 45*7f2fe78bSCy Schubert kpasswd_server = https://server.fqdn/KdcProxy 46*7f2fe78bSCy Schubert 47*7f2fe78bSCy SchubertIf the proxy and client are properly configured, client commands such 48*7f2fe78bSCy Schubertas ``kinit``, ``kvno``, and ``kpasswd`` should all function normally. 49