mod_auth_kerb+ apacahe+kerberos

Russ Allbery rra at
Mon Jun 30 18:15:47 EDT 2008

"Henry B. Hotz" <hotz at> writes:
> On Jun 30, 2008, at 9:07 AM, krbdev-request at wrote:

>> to answer your question: for apache auth_mod_krb SSL is recomended,
>> however not necessary. the fact is, it would work without it, but it's
>> definitely something you do not want to do. without SSL your kerberos
>> passwords will fly to the web server in cleartext (yes) and therefore
>> totally compromise your kerberos infrastructure (all your kerberized
>> services use the same useraname/password yes?)

> No, it's not remotely that bad.

> In fact your passwords don't go over that link (or any other) at all
> with Kerberos.  It's just Kerberos tickets with short (~1 day at most)
> lifetimes.  The main issue is that the ticket could be sniffed and re-
> used to let someone else access the same web server.

This is only true if you enable negotiate-auth.  The default in
mod_auth_kerb is to do basic auth and verify the password on the server,
which does have the behavior described by the previous poster.

Russ Allbery (rra at             <>

More information about the krbdev mailing list