Need some tips on kerberizing our ENTIRE network

Fred Dushin fadushin at fourfold.org
Thu Jul 7 08:13:40 EDT 2005 

I've been looking into kerberized web applications (and web services,  
in general), and I have to confess, I've come up short on satisfying  
solutions.  I thought I'd open the floor to discussion.

A big part of the problem is HTTP (big surprise -- yet another  
protocol that is being used for purposes for which it was not  
designed).  Yes, IIS supports GSS authentication via SPNEGO, but I  
have not been able to decipher whether data protection is offered;  
anecdotal evidence suggests not; I've read commentary on the web to  
this effect, and if you read the mod_auth_krb source code, you'll see  
no reference to gss_wrap or gss_*_mic, so my guess is that all SPNEGO  
is doing is offering SSO authentication.  (That seems to be the gist  
of the spec, as well)  I'm not entirely sure if mutual auth is  
offered, either, though I suppose technically it's possible to use  
HTTP 401 to establish a mutually authenticated channel.  (Anyone know  
if IE/IIS supports this?)

If mutual auth is supported, then it's feasible to use TLS with  
Diffie-Helman cipher suites.  This way, you get data protection using  
ephemeral keys, so the "certificate management" problem basically  
goes away.  That seems like less of a hack than using TLS to do  
target authentication, but somehow it's vaguely less satisfying than  
leveraging Kerberos throughout the protocol.

The OMG seems to have taken Kerberos seriously with CORBA/SECIOP;  
does anyone know if similar attention has been paid to that  
ubiquitous protocol we've all come to know and love, HTTP?

/Fred

PS.  It seems to me that the industry (read, Microsoft) is more  
inclined to push for Kerberos integration into SOAP (e.g., http:// 
msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/ 
html/ws-security-kerberos.asp), which is certainly do-able, albeit  
ridden with a lot of XML baggage.

On Jul 5, 2005, at 11:46 PM, Russ Allbery wrote:

> There are basically three different ways of doing Kerberos  
> authentication
> to web applications:
>
>  * Prompt for a username and password via HTTP basic auth over SSL and
>    authenticate that username and password via Kerberos.  Ugly, but
>    simple.  Apache modules exist.
>
>  * Use some completely separate protocol for doing authentication that
>    uses Kerberos under the hood.  Examples include WebAuth and Cosign.
>    Apache modules exist.  IIS support exists for Cosign in a released
>    state and WebAuth in a development state.
>
>  * Use SPNEGO, which is basically negotiated GSSAPI over HTTP.  Apache
>    modules exist, but requires client support.  Supported in current
>    versions of Firefox, Mozilla, Safari, and IE, with varying degrees
>    of configuration and bug workarounds required.  Client must have a
>    ticket cache to authenticate to the web server, so this method  
> won't
>    work for travelling users using kiosk machines, whereas WebAuth and
>    Cosign will.
>

More information about the Kerberos mailing list