Help: Why SSL must be enabled when using mod_auth_kerb in httpd?

Lee Eric openlinuxsource at gmail.com
Sun Mar 6 20:16:58 EST 2011


Thanks mate. But I am still a little confused. what kind of Negotiate
information will be transferred in the HTTP header? I thought the
replay shall be encrypted also.

Thanks.

Eric

On Sun, Mar 6, 2011 at 1:39 AM, Glenn Machin <gmachin at sandia.gov> wrote:
> You might want to take a look at whether replay is a factor.
> Mod_auth_kerb I believe handles both Basic and Negotiate (SPNEGO)
> authentication.
>
> If using Basic where the Kerberos password is passed over base64 encoded
> in the HTTP header, you are disclosing the Kerberos password.
>
> If you are using Negotiate where tickets are used you might still have
> an issue with replay. Can I take grap the Negotiate information from the
> HTTP header and replay that over a different HTTP session.
>
> I have not looked at it in depth to be an expert but to be safe use SSL.
>
>
> Glenn
>
>
> On 3/5/11 8:46 AM, Lee Eric wrote:
>> Thanks mate. So it looks like there's no obvious reason to use SSL
>> when using Kerberos. But I saw the sample configuration of
>> mod_auth_kerb module that indicates "SSLRequireSSL" should be set up
>> by using this module. So I want to know what part SSL protects indeed.
>>
>> Thanks very much.
>>
>> Eric
>>
>> On Sat, Mar 5, 2011 at 11:41 PM, Greg Hudson<ghudson at mit.edu>  wrote:
>>> On Sat, 2011-03-05 at 04:17 -0500, Lee Eric wrote:
>>>> Hi,
>>>>
>>>> I'm just thinking why SSL must be enabled when using mod_auth_kerb in
>>>> httpd. Because password will be transferred in encryption by Kerberos.
>>>> So is SSL used to proect the tickets or anything else?
>>> I'm not sure if it must be enabled, but there are reasons why it might
>>> be a good idea.  The HTTP authentication protocol used by mod_auth_kerb
>>> does not protect the data stream, so without a secure channel (i.e.
>>> SSL), there is nothing connecting the authentication to the request or
>>> response.
>>>
>>> Also, just to nitpick, but Kerberos authentication doesn't transport
>>> your password at all, even when you get initial tickets.
>>>
>>>
>>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>




More information about the Kerberos mailing list