Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?
Russ Allbery
eagle at eyrie.org
Tue Aug 23 22:52:54 EDT 2016
Simo Sorce <simo at redhat.com> writes:
> By default MIT's GSSAPI (and Heimdal's if I recall) enables the replay
> cache, but some modules (notoriously mod_auth_kerb) just disable it.
It's very challenging to use the replay cache with mod_auth_kerb and a
typical web application and security configuration, since it redoes an
authentication on every page fetch and therefore generates a ton of
Kerberos authentication requests in a very small timeframe. Historically,
this has caused replay cache collisions, which is why the replay cache is
always turned off, since otherwise most protected web sites became
inaccessible due to all the replay cache rejections.
I think modern replay caches may no longer have this collision issue?
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list