Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?
Simo Sorce
simo at redhat.com
Tue Aug 23 08:54:24 EDT 2016
On Tue, 2016-08-23 at 06:24 +0000, Eichhorn, Thomas wrote:
> Hi,
>
> We use Kerberos for SSO in our local intranet. We followed this tutorial: http://www.grolmsnet.de/kerbtut/
> Everything works just fine.
>
> I have a question about security:
>
> Our intranet sites are delivered with HTTP. Can someone intercept the Kerberos ticket and use it for himself?
The HTTP/Negotiate protocol unfortunately does not prevent replay
attacks, so It can be done if the other endpoint does not use a replay
cache.
By default MIT's GSSAPI (and Heimdal's if I recall) enables the replay
cache, but some modules (notoriously mod_auth_kerb) just disable it.
Use of HTTPS is recommend.
And not just for the server, on the user side too as a lot of client
applications do not even check if the reply from the server is genuine
(completing the context establishment phase for mutual authentication)
and just accept the 200 OK code as it comes
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list