[33255] in Kerberos
Re: Help: Why SSL must be enabled when using mod_auth_kerb in httpd?
daemon@ATHENA.MIT.EDU (Frank Cusack)
Tue Mar 8 13:22:30 2011
Date: Tue, 08 Mar 2011 10:22:20 -0800
From: Frank Cusack <frank+krb@linetwo.net>
To: Lee Eric <openlinuxsource@gmail.com>, kerberos@mit.edu
Message-ID: <DE14622D4BCF43C750DC8C26@dhcp-172-19-80-246.mtv.corp.google.com>
In-Reply-To: <AANLkTiktWrj8E9Ap_z6jD81Q5CyMYDzako6Br_3gCtoB@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 3/5/11 5:17 PM +0800 Lee Eric wrote:
> I'm just thinking why SSL must be enabled when using mod_auth_kerb in
> httpd. Because password will be transferred in encryption by Kerberos.
> So is SSL used to proect the tickets or anything else?
You should never send authentication credentials to an unknown entity.
If you don't use SSL, you don't know where you are sending those creds.
In this case, it would allow me to impersonate you.
Even though Kerberos would generally be used "internally", if you aren't
protecting the credentials you may as well just skip the Kerberos part
altogether. If you trust internal users (and your overall network security
stance) enough to avoid SSL you can save yourself the headache and avoid
Kerberos as well.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
