Thanks mate. So it looks like there's no obvious reason to use SSL when using Kerberos. But I saw the sample configuration of mod_auth_kerb module that indicates "SSLRequireSSL" should be set up by using this module. So I want to know what part SSL protects indeed.
Thanks very much. Eric On Sat, Mar 5, 2011 at 11:41 PM, Greg Hudson <[email protected]> wrote: > On Sat, 2011-03-05 at 04:17 -0500, Lee Eric wrote: >> Hi, >> >> I'm just thinking why SSL must be enabled when using mod_auth_kerb in >> httpd. Because password will be transferred in encryption by Kerberos. >> So is SSL used to proect the tickets or anything else? > > I'm not sure if it must be enabled, but there are reasons why it might > be a good idea. The HTTP authentication protocol used by mod_auth_kerb > does not protect the data stream, so without a secure channel (i.e. > SSL), there is nothing connecting the authentication to the request or > response. > > Also, just to nitpick, but Kerberos authentication doesn't transport > your password at all, even when you get initial tickets. > > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
