Frank Cusack <[email protected]> writes: > On 3/5/11 5:17 PM +0800 Lee Eric wrote:
>> I'm just thinking why SSL must be enabled when using mod_auth_kerb in >> httpd. Because password will be transferred in encryption by Kerberos. >> So is SSL used to proect the tickets or anything else? > You should never send authentication credentials to an unknown entity. > If you don't use SSL, you don't know where you are sending those creds. > In this case, it would allow me to impersonate you. Normally, in GSSAPI, you would do mutual auth before you did credential delegation. The problem with Negotiate-Auth in HTTP is that you can't do mutual authentication without breaking the protocol, so it just skips that part. That means that the client authenticates to the server, but the server doesn't authenticate to the client. So you really want TLS to do the other half of the authentication (and you really want channel bindings too, but you're probably not going to get that). -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
