[33249] in Kerberos
Re: Help: Why SSL must be enabled when using mod_auth_kerb in httpd?
daemon@ATHENA.MIT.EDU (Tom Parker)
Sat Mar 5 12:05:12 2011
In-Reply-To: <AANLkTin31a1g6hvHMg_CP9Htbiiwd5nMjktNr6AYF5p2@mail.gmail.com>
Mime-Version: 1.0 (iPhone Mail 8C148)
Message-Id: <54A9CE91-D361-4705-8D8C-749885EB9277@cbnco.com>
From: Tom Parker <tparker@cbnco.com>
Date: Sat, 5 Mar 2011 11:04:50 -0600
To: Lee Eric <openlinuxsource@gmail.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
You need to use ssl with mod_auth_kerb so that if negotiate auth fails and the user is prompted for their username and password this is protected. Mod_auth_kerb uses basic auth to get this info and your username and password are transmitted in the clear to the server in this scenario. I would never use mod_auth_kerb without SSL.
Tom
On 2011-03-05, at 9:46, Lee Eric <openlinuxsource@gmail.com> wrote:
> Thanks mate. So it looks like there's no obvious reason to use SSL
> when using Kerberos. But I saw the sample configuration of
> mod_auth_kerb module that indicates "SSLRequireSSL" should be set up
> by using this module. So I want to know what part SSL protects indeed.
>
> Thanks very much.
>
> Eric
>
> On Sat, Mar 5, 2011 at 11:41 PM, Greg Hudson <ghudson@mit.edu> wrote:
>> On Sat, 2011-03-05 at 04:17 -0500, Lee Eric wrote:
>>> Hi,
>>>
>>> I'm just thinking why SSL must be enabled when using mod_auth_kerb in
>>> httpd. Because password will be transferred in encryption by Kerberos.
>>> So is SSL used to proect the tickets or anything else?
>>
>> I'm not sure if it must be enabled, but there are reasons why it might
>> be a good idea. The HTTP authentication protocol used by mod_auth_kerb
>> does not protect the data stream, so without a secure channel (i.e.
>> SSL), there is nothing connecting the authentication to the request or
>> response.
>>
>> Also, just to nitpick, but Kerberos authentication doesn't transport
>> your password at all, even when you get initial tickets.
>>
>>
>>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
