GSSAPI x Kerberos

Douglas E. Engert deengert at anl.gov
Thu Jul 10 11:45:57 EDT 2003 


silvio at gdora.com.br wrote:
> 
> Citando "Douglas E. Engert" <deengert at anl.gov>:
> > >  The other problem I'll have to solve is to implement the authentication
> > over
> > > HTTP, any suggestions?
> >
> > Look at the kx509 from the University of Michigan. It uses Kerberos
> > authentication
> > to obtain a short term certificate. This certificate can then be used by IE
> > or Netscape.
> > You then use the standard SSL in the browsers and web servers.
> > The client can run on any Unix, Mac or Windows.
> 
> Sorry, I forgot to give a few informations about why I need to use GSS over
> HTTP (the link will help anyway :-)) 
> 
> I have an application that uses HTTP (or HTTPS) to communicate between the
> server and the clients and neither are browsers or web servers... 

Another option is that OpenSSL can encapsulate Kerberos tickets in what
SSL thinks are certificates. 

> The
> application contains the implementation of HTTP to server and client, today,
> there's support to Basic and Digest Authentication and I want to put GSS
> authentication there too... I know that some browsers (IE and patched Mozilla)
> suports that, but I don't know witch to use,

So you have control over the client and server code and the platforms they run on?
This is not an option for most of us. The users will use IE or Netscape
and we have to work around that. That is why the kx509 looks so atractive,
no chnages are need to the browsers, and it works on W98, ME, W2K, XP, with IE 
or Netscape, and on Mac, Linux and any other Unix that has Netscape. 

> the Mozilla implementation os
> Microsoft's... They both seens to be very simple, the GSS information goes
> after a specific tag (IE uses Negoticate, Mozilla uses GSS-Negotiate), like
> this:
> WWW-Authenticate: Negotiate SPNEGO_data
> 
> SPNEGO seens to encapsulate GSSAPI data (I didn't readed all of the RFC yet),
> but I don't think it will be useful, I was thinking in implementing the GSS
> data directly...

If you do implement SPNEGO, the ietf-krb-wg would be interested to know that.
There is some concern that it can not be done based on the current drafts.   

> 
> Any recomendations?
> 
> Silvio Fonseca
> Linux Consultant
> -------------------------------------------------
> Relato Consultoria de Informática
> Rua Mto. João Gomes de Araújo, 106 cj. 42
> Alto de Santana - São Paulo - SP
> Telefones: (11) 6978-5253 / (11) 6978-5262
> Fax: (11) 6971-3115

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list