Thanks mate. But I am still a little confused. what kind of Negotiate information will be transferred in the HTTP header? I thought the replay shall be encrypted also.
Thanks. Eric On Sun, Mar 6, 2011 at 1:39 AM, Glenn Machin <[email protected]> wrote: > You might want to take a look at whether replay is a factor. > Mod_auth_kerb I believe handles both Basic and Negotiate (SPNEGO) > authentication. > > If using Basic where the Kerberos password is passed over base64 encoded > in the HTTP header, you are disclosing the Kerberos password. > > If you are using Negotiate where tickets are used you might still have > an issue with replay. Can I take grap the Negotiate information from the > HTTP header and replay that over a different HTTP session. > > I have not looked at it in depth to be an expert but to be safe use SSL. > > > Glenn > > > On 3/5/11 8:46 AM, Lee Eric wrote: >> Thanks mate. So it looks like there's no obvious reason to use SSL >> when using Kerberos. But I saw the sample configuration of >> mod_auth_kerb module that indicates "SSLRequireSSL" should be set up >> by using this module. So I want to know what part SSL protects indeed. >> >> Thanks very much. >> >> Eric >> >> On Sat, Mar 5, 2011 at 11:41 PM, Greg Hudson<[email protected]> wrote: >>> On Sat, 2011-03-05 at 04:17 -0500, Lee Eric wrote: >>>> Hi, >>>> >>>> I'm just thinking why SSL must be enabled when using mod_auth_kerb in >>>> httpd. Because password will be transferred in encryption by Kerberos. >>>> So is SSL used to proect the tickets or anything else? >>> I'm not sure if it must be enabled, but there are reasons why it might >>> be a good idea. The HTTP authentication protocol used by mod_auth_kerb >>> does not protect the data stream, so without a secure channel (i.e. >>> SSL), there is nothing connecting the authentication to the request or >>> response. >>> >>> Also, just to nitpick, but Kerberos authentication doesn't transport >>> your password at all, even when you get initial tickets. >>> >>> >>> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
