Help: Why SSL must be enabled when using mod_auth_kerb in httpd?
Tom Parker
tparker at cbnco.com
Sat Mar 5 12:04:50 EST 2011
You need to use ssl with mod_auth_kerb so that if negotiate auth fails and the user is prompted for their username and password this is protected. Mod_auth_kerb uses basic auth to get this info and your username and password are transmitted in the clear to the server in this scenario. I would never use mod_auth_kerb without SSL.
Tom
On 2011-03-05, at 9:46, Lee Eric <openlinuxsource at gmail.com> wrote:
> Thanks mate. So it looks like there's no obvious reason to use SSL
> when using Kerberos. But I saw the sample configuration of
> mod_auth_kerb module that indicates "SSLRequireSSL" should be set up
> by using this module. So I want to know what part SSL protects indeed.
>
> Thanks very much.
>
> Eric
>
> On Sat, Mar 5, 2011 at 11:41 PM, Greg Hudson <ghudson at mit.edu> wrote:
>> On Sat, 2011-03-05 at 04:17 -0500, Lee Eric wrote:
>>> Hi,
>>>
>>> I'm just thinking why SSL must be enabled when using mod_auth_kerb in
>>> httpd. Because password will be transferred in encryption by Kerberos.
>>> So is SSL used to proect the tickets or anything else?
>>
>> I'm not sure if it must be enabled, but there are reasons why it might
>> be a good idea. The HTTP authentication protocol used by mod_auth_kerb
>> does not protect the data stream, so without a secure channel (i.e.
>> SSL), there is nothing connecting the authentication to the request or
>> response.
>>
>> Also, just to nitpick, but Kerberos authentication doesn't transport
>> your password at all, even when you get initial tickets.
>>
>>
>>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list