Firefox on Linux/UNIX and mutual authentication
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Tue Feb 1 16:28:52 EST 2005
Frank Balluffi wrote:
>My investigation shows that Firefox on Windows (which uses Microsoft SSPI)
>sends RFC 2478 SPNEGO tokens with the mutual-required flag on and Firefox
>on Linux/UNIX (which uses GSSAPI) sends RFC 1964 Kerberos tokens with the
>mutual-required flag off.
>
>Can anyone think of a reason why Firefox on Linux/UNIX should not set the
>mutual-required flag on? Thanks.
>
>
Because the HTTP protocol does not support the use of mutual authentication.
Microsoft "broke" the HTTP standard in order to support mutual auth by
adding
extra data to the "200 OK" response that the IIS server returns after it
authenticates
the client's Kerberos creds (SSPI). The Mozilla developers did not
want to pollute
the core HTTP protocol engine with special case code to handle the extra
data that
might be associated with a mutual-auth GSSAPI response, so they chose to
ignore it.
Because mutual auth is not possible at this time, it is strongly
recommended that
any Linux/Apache installation that implements GSSAPI authentication
(e.g. mod_auth_kerb)
also use SSL to encrypt the authentication exchange. The default
settings in
Firefox/Mozilla are to only respond to the "Negotiate" request when the
URL is
"https", though this can be overridden by the user.
-Wyllys
More information about the Kerberos
mailing list