mod_auth_kerb+ apacahe+kerberos

Henry B. Hotz hotz at
Mon Jun 30 18:01:26 EDT 2008

On Jun 30, 2008, at 9:07 AM, krbdev-request at wrote:

> to answer your question: for apache auth_mod_krb SSL is recomended,
> however not necessary. the fact is, it would work without it, but it's
> definitely something you do not want to do. without SSL your kerberos
> passwords will fly to the web server in cleartext (yes) and therefore
> totally compromise your kerberos infrastructure (all your kerberized
> services use the same useraname/password yes?)

No, it's not remotely that bad.

In fact your passwords don't go over that link (or any other) at all  
with Kerberos.  It's just Kerberos tickets with short (~1 day at most)  
lifetimes.  The main issue is that the ticket could be sniffed and re- 
used to let someone else access the same web server.

There are a number of other issues as well:  server-side replay  
cacheing, ticket forwarding, ticket lifetimes.  Your original password  
is not a problem unless the server falls-back to basic-auth over a non- 
SSL connection.  If that happens, it's bad, but it's got nothing to do  
with Kerberos.

More information about the krbdev mailing list