[13594] in Kerberos_V5_Development
Re: mod_auth_kerb+ apacahe+kerberos
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Jun 30 18:16:20 2008
To: krbdev@mit.edu
In-Reply-To: <1E182F67-C9C4-4041-AF87-96BDCD576C73@jpl.nasa.gov> (Henry B.
Hotz's message of "Mon\, 30 Jun 2008 15\:01\:26 -0700")
From: Russ Allbery <rra@stanford.edu>
Date: Mon, 30 Jun 2008 15:15:47 -0700
Message-ID: <87iqvqefho.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:
> On Jun 30, 2008, at 9:07 AM, krbdev-request@mit.edu wrote:
>> to answer your question: for apache auth_mod_krb SSL is recomended,
>> however not necessary. the fact is, it would work without it, but it's
>> definitely something you do not want to do. without SSL your kerberos
>> passwords will fly to the web server in cleartext (yes) and therefore
>> totally compromise your kerberos infrastructure (all your kerberized
>> services use the same useraname/password yes?)
> No, it's not remotely that bad.
> In fact your passwords don't go over that link (or any other) at all
> with Kerberos. It's just Kerberos tickets with short (~1 day at most)
> lifetimes. The main issue is that the ticket could be sniffed and re-
> used to let someone else access the same web server.
This is only true if you enable negotiate-auth. The default in
mod_auth_kerb is to do basic auth and verify the password on the server,
which does have the behavior described by the previous poster.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
