[13592] in Kerberos_V5_Development
Re: mod_auth_kerb+ apacahe+kerberos
daemon@ATHENA.MIT.EDU (Henry B. Hotz)
Mon Jun 30 18:02:46 2008
Message-Id: <1E182F67-C9C4-4041-AF87-96BDCD576C73@jpl.nasa.gov>
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
To: krbdev@mit.edu
In-Reply-To: <mailman.419.1214842029.24421.krbdev@mit.edu>
Mime-Version: 1.0 (Apple Message framework v924)
Date: Mon, 30 Jun 2008 15:01:26 -0700
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Jun 30, 2008, at 9:07 AM, krbdev-request@mit.edu wrote:
> to answer your question: for apache auth_mod_krb SSL is recomended,
> however not necessary. the fact is, it would work without it, but it's
> definitely something you do not want to do. without SSL your kerberos
> passwords will fly to the web server in cleartext (yes) and therefore
> totally compromise your kerberos infrastructure (all your kerberized
> services use the same useraname/password yes?)
No, it's not remotely that bad.
In fact your passwords don't go over that link (or any other) at all
with Kerberos. It's just Kerberos tickets with short (~1 day at most)
lifetimes. The main issue is that the ticket could be sniffed and re-
used to let someone else access the same web server.
There are a number of other issues as well: server-side replay
cacheing, ticket forwarding, ticket lifetimes. Your original password
is not a problem unless the server falls-back to basic-auth over a non-
SSL connection. If that happens, it's bad, but it's got nothing to do
with Kerberos.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
