heimdal http proxy

Charles Hedrick hedrick at rutgers.edu
Sat Sep 11 18:16:36 EDT 2021


My use case is a few web applications. Linux user group management, editing our wiki, and responding to help desk tickets. Generic web apps that I would like to use at home. We support CAS, but our university CAS server has disabled SSO. Since I already have a Kerberos ticket to use ssh, it would be nice to be able to get into the web apps without having to do CAS and Duo each time. (My Kerberos tickets also require two factor authentication to get them.)

We use Kerberos and GSSAPI for other things, but not that I’d need at home.

> On Sep 11, 2021, at 2:22 PM, Rick van Rein <rick at openfortress.nl> wrote:
> 
> Hello Charles,
> 
>> I???d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac uses Heimdal. 
> 
> SPNEGO has really a low security level.  I am surprised this is considered
> acceptable for a https proxy.
> 
> We are working on two better solutions, with software that classifies only
> little over "proof of concept'.
> 
> - TLS-KDH to integrate Kerberos authentication with ECDH encryption;
>   this combination is in fact Quantum Proof
> 
>   https://datatracker.ietf.org/doc/html/draft-vanrein-tls-kdh
> 
> - HTTP-SASL integrates SASL as a HTTP authentication mechanism, and this
>   is meant to allow Kerberos as well.  In contrast with SPNEGO, it would
>   be possible to require Channel Binding (at least to the webserver _name_).
> 
>   https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl
> 
> 
> Take note: These have not even been proposed on this list, simply due to
> lack of time to actively discuss it (been mostly occupied with this and
> related implementations).  So at best this could be a future opportunity.
> Still, your usecase may help to propell the work forward, so please share
> if this would be helpful for your situation.  You may want to pass this
> by your sysadmin too.
> 
> 
> Cheers,
> -Rick



More information about the Kerberos mailing list