[37633] in Kerberos
Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Aug 23 22:53:15 2016
From: Russ Allbery <eagle@eyrie.org>
To: "'kerberos\@mit.edu'" <kerberos@mit.edu>
In-Reply-To: <1471956864.8163.11.camel@redhat.com> (Simo Sorce's message of
"Tue, 23 Aug 2016 08:54:24 -0400")
Date: Tue, 23 Aug 2016 19:52:54 -0700
Message-ID: <87d1kysws9.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Simo Sorce <simo@redhat.com> writes:
> By default MIT's GSSAPI (and Heimdal's if I recall) enables the replay
> cache, but some modules (notoriously mod_auth_kerb) just disable it.
It's very challenging to use the replay cache with mod_auth_kerb and a
typical web application and security configuration, since it redoes an
authentication on every page fetch and therefore generates a ton of
Kerberos authentication requests in a very small timeframe. Historically,
this has caused replay cache collisions, which is why the replay cache is
always turned off, since otherwise most protected web sites became
inaccessible due to all the replay cache rejections.
I think modern replay caches may no longer have this collision issue?
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
