Help: Why SSL must be enabled when using mod_auth_kerb in httpd?

Greg Hudson ghudson at MIT.EDU
Sat Mar 5 10:41:54 EST 2011


On Sat, 2011-03-05 at 04:17 -0500, Lee Eric wrote:
> Hi,
> 
> I'm just thinking why SSL must be enabled when using mod_auth_kerb in
> httpd. Because password will be transferred in encryption by Kerberos.
> So is SSL used to proect the tickets or anything else?

I'm not sure if it must be enabled, but there are reasons why it might
be a good idea.  The HTTP authentication protocol used by mod_auth_kerb
does not protect the data stream, so without a secure channel (i.e.
SSL), there is nothing connecting the authentication to the request or
response.

Also, just to nitpick, but Kerberos authentication doesn't transport
your password at all, even when you get initial tickets.





More information about the Kerberos mailing list