On Mon, 7 Oct 1996, Marcus Watts wrote:
> Michael C. Burns writes:
> > .. I'm curious if anyone on this list
> > has made modifications to NCSA's httpd to use AFS/Kerberos authentication
> > and if they can share those changes.
>
> What *kind* of authentication are you talking about when you say
> "AFS/Kerberos authentication"?
>
> There are two "obvious" schemes you *could* use. The first would be to
> take the user's cleartext password using "Basic" authentication, and
> then yourself, in the server, try to get a kerberos ticket using that
> password. It does have one advantage (which is nothing to sneeze about):
> it will work with every browser out there in the sun.
>
>From looking at NCSA's documentation that .htaccess's AuthType would accept
Kerberos4 instead of Basic, but the documentation fails to say anything more
about it. It appears as if it would still work as you describe above unless
browsers are written to understand it as you mention below.
> The bad thing about that approach is that you are now sending your
> kerberos passwords out in the clear, available for any network sniffer
> to grab. This definitely weakens the secrecy of kerberos. If you have
> a significant population of users who might access your web server from
> one or more shared (``public'') computing labs or sites, then you can
> certainly expect serious problems every so often, from people sniffing
> on the wire and stealing passwords.
>
This is true at our site. We have thousands of Mac and PC's in labs on
campus and in each department and we can not vouch for their security, so we
expect problems to occur as long as there are any client applications (http,
telnet, ftp, etc.) that send passwords in the clear. Amd even once they do
exist there will still be people who won't install them on their
computer, so passwords in the clear will be with us for a long time yet.
> The second "obvious" approach is to use what I believe is called
> "Columbia University" kerberos (or CUkerb) authentication. The basic protocol
> ...
(more good info on CUkerb deleted)
> The most serious problem has nothing to do with the technical
> issues, but rather, with client support. By far the most popular
> browser, Netscape, doesn't work with this scheme at all. The
> two browsers that do suport this scheme are Lynx and Mosaic
> and even then, only on Unix workstations. The ugly claws of
> ...
>
>
> Some other people here at the university are working on a real
> cool something called "KLP", which looks like it could be a *much* better
> solution than CUkerb. I'm sure they'll announce something once they
> have something worth sharing with others.
>
> -Marcus Watts
> UM ITD PD&D Umich Systems Group
I was introduced to this a few months back when I attended a Big 10 DCE
Focus group/special projects type meeting held at PSU. They also talked
about the SDG (Secure Domain Gateway) as other alternatives. Again, most of
this was geared towards DCE which we are going to move to also, but we have
AFS in place right now and I was looking for other alternatives I could use
with our current AFS cell in case I really want to provide this before
getting all the DCE pieces in place.
- Mike
----------------------------------------------------------------------------
Mike Burns UNIX Systems Group
[EMAIL PROTECTED] Center for Academic Computing
(814) 863-5606 The Pennsylvania State University
