On Sat, 2011-03-05 at 04:17 -0500, Lee Eric wrote: > Hi, > > I'm just thinking why SSL must be enabled when using mod_auth_kerb in > httpd. Because password will be transferred in encryption by Kerberos. > So is SSL used to proect the tickets or anything else?
I'm not sure if it must be enabled, but there are reasons why it might be a good idea. The HTTP authentication protocol used by mod_auth_kerb does not protect the data stream, so without a secure channel (i.e. SSL), there is nothing connecting the authentication to the request or response. Also, just to nitpick, but Kerberos authentication doesn't transport your password at all, even when you get initial tickets. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
