I have a request from our Linux integration people to allow external users from anywhere on the net to get a kerberos ticket to use to SSH into our domain joined Linux computers. To do this, I believe I'd have to make a domain controller accessable to the internet (hopefully firewalled to just the kerberos port). The recieved wisdom I always had was to keep the domain controllers off the wider internet if at all possible.
I was thinking, but not sure if this is actually adding security, of using a RODC for this.
Should I proceed or suggest this workflow should change and keep blocking domain controller access from the internet?