Help: Why SSL must be enabled when using mod_auth_kerb in httpd?

Lee Eric openlinuxsource at gmail.com
Sat Mar 5 10:46:50 EST 2011


Thanks mate. So it looks like there's no obvious reason to use SSL
when using Kerberos. But I saw the sample configuration of
mod_auth_kerb module that indicates "SSLRequireSSL" should be set up
by using this module. So I want to know what part SSL protects indeed.

Thanks very much.

Eric

On Sat, Mar 5, 2011 at 11:41 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On Sat, 2011-03-05 at 04:17 -0500, Lee Eric wrote:
>> Hi,
>>
>> I'm just thinking why SSL must be enabled when using mod_auth_kerb in
>> httpd. Because password will be transferred in encryption by Kerberos.
>> So is SSL used to proect the tickets or anything else?
>
> I'm not sure if it must be enabled, but there are reasons why it might
> be a good idea.  The HTTP authentication protocol used by mod_auth_kerb
> does not protect the data stream, so without a secure channel (i.e.
> SSL), there is nothing connecting the authentication to the request or
> response.
>
> Also, just to nitpick, but Kerberos authentication doesn't transport
> your password at all, even when you get initial tickets.
>
>
>




More information about the Kerberos mailing list