Help: Why SSL must be enabled when using mod_auth_kerb in httpd?

Frank Cusack frank+krb at linetwo.net
Tue Mar 8 13:22:20 EST 2011


On 3/5/11 5:17 PM +0800 Lee Eric wrote:
> I'm just thinking why SSL must be enabled when using mod_auth_kerb in
> httpd. Because password will be transferred in encryption by Kerberos.
> So is SSL used to proect the tickets or anything else?

You should never send authentication credentials to an unknown entity.
If you don't use SSL, you don't know where you are sending those creds.
In this case, it would allow me to impersonate you.

Even though Kerberos would generally be used "internally", if you aren't
protecting the credentials you may as well just skip the Kerberos part
altogether.  If you trust internal users (and your overall network security 
stance) enough to avoid SSL you can save yourself the headache and avoid
Kerberos as well.



More information about the Kerberos mailing list