Need some tips on kerberizing our ENTIRE network
Fred Dushin
fadushin at fourfold.org
Thu Jul 7 08:13:40 EDT 2005
I've been looking into kerberized web applications (and web services,
in general), and I have to confess, I've come up short on satisfying
solutions. I thought I'd open the floor to discussion.
A big part of the problem is HTTP (big surprise -- yet another
protocol that is being used for purposes for which it was not
designed). Yes, IIS supports GSS authentication via SPNEGO, but I
have not been able to decipher whether data protection is offered;
anecdotal evidence suggests not; I've read commentary on the web to
this effect, and if you read the mod_auth_krb source code, you'll see
no reference to gss_wrap or gss_*_mic, so my guess is that all SPNEGO
is doing is offering SSO authentication. (That seems to be the gist
of the spec, as well) I'm not entirely sure if mutual auth is
offered, either, though I suppose technically it's possible to use
HTTP 401 to establish a mutually authenticated channel. (Anyone know
if IE/IIS supports this?)
If mutual auth is supported, then it's feasible to use TLS with
Diffie-Helman cipher suites. This way, you get data protection using
ephemeral keys, so the "certificate management" problem basically
goes away. That seems like less of a hack than using TLS to do
target authentication, but somehow it's vaguely less satisfying than
leveraging Kerberos throughout the protocol.
The OMG seems to have taken Kerberos seriously with CORBA/SECIOP;
does anyone know if similar attention has been paid to that
ubiquitous protocol we've all come to know and love, HTTP?
/Fred
PS. It seems to me that the industry (read, Microsoft) is more
inclined to push for Kerberos integration into SOAP (e.g., http://
msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/
html/ws-security-kerberos.asp), which is certainly do-able, albeit
ridden with a lot of XML baggage.
On Jul 5, 2005, at 11:46 PM, Russ Allbery wrote:
> There are basically three different ways of doing Kerberos
> authentication
> to web applications:
>
> * Prompt for a username and password via HTTP basic auth over SSL and
> authenticate that username and password via Kerberos. Ugly, but
> simple. Apache modules exist.
>
> * Use some completely separate protocol for doing authentication that
> uses Kerberos under the hood. Examples include WebAuth and Cosign.
> Apache modules exist. IIS support exists for Cosign in a released
> state and WebAuth in a development state.
>
> * Use SPNEGO, which is basically negotiated GSSAPI over HTTP. Apache
> modules exist, but requires client support. Supported in current
> versions of Firefox, Mozilla, Safari, and IE, with varying degrees
> of configuration and bug workarounds required. Client must have a
> ticket cache to authenticate to the web server, so this method
> won't
> work for travelling users using kiosk machines, whereas WebAuth and
> Cosign will.
>
More information about the Kerberos
mailing list