[6574] in Kerberos
Re: Authentication Only ?
daemon@ATHENA.MIT.EDU (Jon Roma)
Fri Feb 2 15:03:23 1996
To: kerberos@MIT.EDU
Date: Fri, 02 Feb 1996 13:43:42 -0600
From: Jon Roma <roma@uiuc.edu>
Joe Shamblin wrote regarding Kerberos authentication for WWW traffic:
>Take a look at NCSA httpd version 1.5 it is supposed to have hooks fer
>kerberos [...]
The problem being that this is useless for people running other than the
NCSA Mosaic client. (Yes, even here at the University of Illinois, the
birthplace of Mosaic, Netscape is far and away the more popular browser.)
Several other "solutions" have been proposed that involve Web authenticators
that accept a Kerberos principal and password, but they share the unhappy
characteristic of transmitting the client's Kerberos password in the clear
over a possibly insecure network where it is processed by a possibly
untrustworthy or insecure client. This defeats the principle that only
you and your trusted kinit program ever see your cleartext password.
