Apache modules compatible with kerberos in 1.7b
Jeffrey Hutzelman
jhutz at cmu.edu
Tue Mar 23 22:09:54 EST 2004
On Tuesday, March 23, 2004 21:49:48 -0500 Wyllys Ingersoll
<wyllys.ingersoll at sun.com> wrote:
> The "negotiateauth" extension in Mozilla 1.7b uses GSSAPI
> for authentication in the same manner that Microsoft IE and IIS
> use it. By default, Mozilla 1.7b will *NOT*
> respond to server requests for "Negotiate" authentication
> unless the URL is "https://". However, This can be overridden
> by modifying a couple of configuration options:
Careful here...
The "negotiate" method authenticates the client but does not provide
confidentiality or integrity protection for the transferred data. Even
when TLS is used, the authentication context is not bound to the channel in
any way. Thus, unless you use TLS _and_ verify the server's certificate,
an attacker can easily hijack your "authenticated" connection.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list