[6584] in Kerberos
Re: Authentication Only ?
daemon@ATHENA.MIT.EDU (Ken Weaverling)
Sat Feb 3 13:07:44 1996
To: kerberos@MIT.EDU
Date: 3 Feb 1996 09:38:22 -0500
From: weave@apache.dtcc.edu (Ken Weaverling)
In article <199602021943.NAA12264@ux6.cso.uiuc.edu>,
Jon Roma <roma@uiuc.edu> wrote:
>Joe Shamblin wrote regarding Kerberos authentication for WWW traffic:
>
>>Take a look at NCSA httpd version 1.5 it is supposed to have hooks fer
>>kerberos [...]
>
>The problem being that this is useless for people running other than the
>NCSA Mosaic client. (Yes, even here at the University of Illinois, the
>birthplace of Mosaic, Netscape is far and away the more popular browser.)
Let me summarise here:
Current situation: Some web pages are restricted to inside IP addresses
only to meet licensing requirements you have.
Idea: Find some way to allow outside users to authenticate via their
kerberos id/pass to get in
Proposal #1: Allow kerberos id/pass to travel net in the clear, authenticate
locally.
Proposal #2: Use NCSC Mosaic to use kerberos authentication securely.
Cost of proposal #1: Kerberos identies flies across god knows what nets
in the clear.
Cost of proposal #2: Users have to launch mosaic instead of netscape if they
want to get to the protected pages.
Hmm, so if you go with proposal #1, you become the weak link in the chain.
Since users can not access the information now, making it available
from a kerberos'ed browser only seems to be a small cost. Sure beats what
you have now (no access from outside)
Now if you can make those pages authenticate by IP only for inside users
and via kerberos for outside, I think #2 is your best bet.
--
Ken Weaverling, Delaware Tech weave@hopi.dtcc.edu (WHOIS: KJW)
finger me for PGP and home page info.
