Fred Dushin wrote:
A big part of the problem is HTTP (big surprise -- yet another
protocol that is being used for purposes for which it was not
designed). Yes, IIS supports GSS authentication via SPNEGO, but I
have not been able to decipher whether data protection is offered;
anecdotal evidence suggests not; I've read commentary on the web to
this effect, and if you read the mod_auth_krb source code, you'll see
no reference to gss_wrap or gss_*_mic, so my guess is that all SPNEGO
is doing is offering SSO authentication. (That seems to be the gist
of the spec, as well) I'm not entirely sure if mutual auth is
offered, either, though I suppose technically it's possible to use
HTTP 401 to establish a mutually authenticated channel. (Anyone know
if IE/IIS supports this?)
Data protection is not part of the HTTP/Negotiate-Auth protocol. It only
provides for *authentication* and even that is not protected unless you
channel it over SSL. After the authentication is complete, GSSAPI is
never used again for that session. The browsers and servers out there
today do not support the use of GSSAPI for protecting the HTTP exchanges,
only SSL.
Mutual authentication is not supported correctly because it is not possible
to do so without violating the HTTP spec. Microsoft did it with IIS/IE, but
Mozilla stops short of the complete mutual-auth checking because it would
involve alot of hacks in the HTTP engine to handle non-standard fields
being sent in a "200 OK" response header.
Basically, the recommended way to do HTTP/GSSAPI authentication
is to use SSL to protect the exchange and the data. Mozilla/Firefox
is configured by default to only do the GSSAPI auth exchange if
the protocol is "https", though that setting can be changed easily
enough.
-Wyllys Ingersoll
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
