Help: Why SSL must be enabled when using mod_auth_kerb in httpd?

Glenn Machin gmachin at sandia.gov
Sat Mar 5 12:39:36 EST 2011


You might want to take a look at whether replay is a factor. 
Mod_auth_kerb I believe handles both Basic and Negotiate (SPNEGO) 
authentication.

If using Basic where the Kerberos password is passed over base64 encoded 
in the HTTP header, you are disclosing the Kerberos password.

If you are using Negotiate where tickets are used you might still have 
an issue with replay. Can I take grap the Negotiate information from the 
HTTP header and replay that over a different HTTP session.

I have not looked at it in depth to be an expert but to be safe use SSL.


Glenn


On 3/5/11 8:46 AM, Lee Eric wrote:
> Thanks mate. So it looks like there's no obvious reason to use SSL
> when using Kerberos. But I saw the sample configuration of
> mod_auth_kerb module that indicates "SSLRequireSSL" should be set up
> by using this module. So I want to know what part SSL protects indeed.
>
> Thanks very much.
>
> Eric
>
> On Sat, Mar 5, 2011 at 11:41 PM, Greg Hudson<ghudson at mit.edu>  wrote:
>> On Sat, 2011-03-05 at 04:17 -0500, Lee Eric wrote:
>>> Hi,
>>>
>>> I'm just thinking why SSL must be enabled when using mod_auth_kerb in
>>> httpd. Because password will be transferred in encryption by Kerberos.
>>> So is SSL used to proect the tickets or anything else?
>> I'm not sure if it must be enabled, but there are reasons why it might
>> be a good idea.  The HTTP authentication protocol used by mod_auth_kerb
>> does not protect the data stream, so without a secure channel (i.e.
>> SSL), there is nothing connecting the authentication to the request or
>> response.
>>
>> Also, just to nitpick, but Kerberos authentication doesn't transport
>> your password at all, even when you get initial tickets.
>>
>>
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>





More information about the Kerberos mailing list