You need to use ssl with mod_auth_kerb so that if negotiate auth fails and the user is prompted for their username and password this is protected. Mod_auth_kerb uses basic auth to get this info and your username and password are transmitted in the clear to the server in this scenario. I would never use mod_auth_kerb without SSL.
Tom On 2011-03-05, at 9:46, Lee Eric <[email protected]> wrote: > Thanks mate. So it looks like there's no obvious reason to use SSL > when using Kerberos. But I saw the sample configuration of > mod_auth_kerb module that indicates "SSLRequireSSL" should be set up > by using this module. So I want to know what part SSL protects indeed. > > Thanks very much. > > Eric > > On Sat, Mar 5, 2011 at 11:41 PM, Greg Hudson <[email protected]> wrote: >> On Sat, 2011-03-05 at 04:17 -0500, Lee Eric wrote: >>> Hi, >>> >>> I'm just thinking why SSL must be enabled when using mod_auth_kerb in >>> httpd. Because password will be transferred in encryption by Kerberos. >>> So is SSL used to proect the tickets or anything else? >> >> I'm not sure if it must be enabled, but there are reasons why it might >> be a good idea. The HTTP authentication protocol used by mod_auth_kerb >> does not protect the data stream, so without a secure channel (i.e. >> SSL), there is nothing connecting the authentication to the request or >> response. >> >> Also, just to nitpick, but Kerberos authentication doesn't transport >> your password at all, even when you get initial tickets. >> >> >> > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
