You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Bill Stoddard <bi...@wstoddard.com> on 2003/03/12 21:55:33 UTC

Kerberos authentication

Just ran across this and it looks kinda interesting:

http://meta.cesnet.cz/software/heimdal/negotiate.en.html

Anyone have any first hand experience with kerberos authentication in 
the server?

Bill

Re: Kerberos authentication

Posted by Bill Stoddard <bi...@wstoddard.com>.

Dirk-Willem van Gulik wrote:
> 
> On Wed, 12 Mar 2003, Bill Stoddard wrote:
> 
> 
>>Anyone have any first hand experience with kerberos authentication in
>>the server?
> 
> 
> .. well - we have ripped code out of telnet(d) from KTH-their Heimdal's on
> *BSD to do this for a finance customer - who had some (silly but golden)
> policy which made kerberos the only acceptable auth method across certain
> internal network boundaries.
> 
> But we only did auth; nothing else; and only between an apache server and
> an apache proxy. Not between server and client. Nor did we anything like
> the '-x' from telnetd for encryption.
> 
> It worked well, fast and reliable - which was a surprize as the use you
> now make of Kerberos is quite different than say, for telnet or an
> x-display; lots of concurrent auths for lots of connections.
> 
> See also
> 
> 	http://modauthkerb.sourceforge.net/
> 
> which is a local kerb auth (i.e. the password goes basic auth over http)
> and
> 
> 	http://meta.cesnet.cz/software/heimdal/mod_auth_kerb.c
> 
> which is a hack on the above for the real thing. (It is listed on that
> page - but not linked in).
> 
> Do you need it for anything specific ? Can I help ?
> 

I got a question from a collegue about getting 'Negotiate' working with 
IE. My short answer was 'I have no idea' but it looked interesting 
enough to ask the folks on dev@httpd.

Bill

Re: Kerberos authentication

Posted by Dirk-Willem van Gulik <di...@webweaving.org>.

On Wed, 12 Mar 2003, Bill Stoddard wrote:

> Anyone have any first hand experience with kerberos authentication in
> the server?

.. well - we have ripped code out of telnet(d) from KTH-their Heimdal's on
*BSD to do this for a finance customer - who had some (silly but golden)
policy which made kerberos the only acceptable auth method across certain
internal network boundaries.

But we only did auth; nothing else; and only between an apache server and
an apache proxy. Not between server and client. Nor did we anything like
the '-x' from telnetd for encryption.

It worked well, fast and reliable - which was a surprize as the use you
now make of Kerberos is quite different than say, for telnet or an
x-display; lots of concurrent auths for lots of connections.

See also

	http://modauthkerb.sourceforge.net/

which is a local kerb auth (i.e. the password goes basic auth over http)
and

	http://meta.cesnet.cz/software/heimdal/mod_auth_kerb.c

which is a hack on the above for the real thing. (It is listed on that
page - but not linked in).

Do you need it for anything specific ? Can I help ?

Dw