GSSAPI x Kerberos
Sam Hartman
hartmans at MIT.EDU
Fri Jul 11 08:45:35 EDT 2003
>>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:
Douglas> silvio at gdora.com.br wrote:
>> Citando "Douglas E. Engert" <deengert at anl.gov>: > > The other
>> problem I'll have to solve is to implement the authentication >
>> over > > HTTP, any suggestions?
>> >
>> > Look at the kx509 from the University of Michigan. It uses
>> Kerberos > authentication > to obtain a short term
>> certificate. This certificate can then be used by IE > or
>> Netscape. > You then use the standard SSL in the browsers and
>> web servers. > The client can run on any Unix, Mac or Windows.
>>
>> Sorry, I forgot to give a few informations about why I need to
>> use GSS over HTTP (the link will help anyway :-))
>>
>> I have an application that uses HTTP (or HTTPS) to communicate
>> between the server and the clients and neither are browsers or
>> web servers...
Douglas> Another option is that OpenSSL can encapsulate Kerberos
Douglas> tickets in what SSL thinks are certificates.
Please don't do this is you can avoid it. Use either the Mozilla or
the Microsoft style GSSAPI, or better yet don't use HTTP at all if you
don't expect your application to be used by normal web browsers.
There are some significant issues with RFC 2712 (Kerberos inside TLS)
and even more significant issues with the OpenSSL implementation of
that spec.
More information about the Kerberos
mailing list