[Previous] [Next] [Index]
[Thread]
Re: Kerberos authentication for X-Mosaic 2.4 and NCSA HTTPD
>I've implemented kerberos 4 mutual authentication in NCSA's httpd and Mosaic
>for X 2.4.........
If the xmosaic cleint and the httpd server are in the same realm.
KerberosV4 can handle the mutual authentication very well.
If the xmosaic client and the httpd server are in different realms,
KerverosV4 can handle the mutual authentication only if the
two kerberos servers of the two different realms know each other's secret key.
Suppose there are n realms (such as columbia.edu, cs.cmu.edu, andrew.cmu.edu.etc
)
in the Internet, a realm must know the secret keys of the other n-1 realms
in order for its clients to do authentication with httpd servers in all
other realms. The number of the total shared key will be in the order of O(n^2).
Do you think it is realistic for using KerberosV4 as a global authentication
mechanism in the Internet? KerberosV5 reduces the number of shared key but
it is still large (by using tree structure).
What will happen if one kerberos server is compromised?
Another disanvantage fo KerberosV4 is that it provide no mechanism to
detect replay proposed in the protocol. Krb5 provides some detection
mechanism.
By the way, do you think encode kerberos ticket into the MIME head is a good
method? Why not do some kerberos authentication before the client and the server
sends information with each other. If you modify the httpd server,
I think using cern_httpd codes will save you a lot of work.
Anyway, I think your work is great!
--ltang
Follow-Ups:
References: