On Tue, 2016-08-23 at 06:24 +0000, Eichhorn, Thomas wrote: > Hi, > > We use Kerberos for SSO in our local intranet. We followed this tutorial: > http://www.grolmsnet.de/kerbtut/ > Everything works just fine. > > I have a question about security: > > Our intranet sites are delivered with HTTP. Can someone intercept the > Kerberos ticket and use it for himself?
The HTTP/Negotiate protocol unfortunately does not prevent replay attacks, so It can be done if the other endpoint does not use a replay cache. By default MIT's GSSAPI (and Heimdal's if I recall) enables the replay cache, but some modules (notoriously mod_auth_kerb) just disable it. Use of HTTPS is recommend. And not just for the server, on the user side too as a lot of client applications do not even check if the reply from the server is genuine (completing the context establishment phase for mutual authentication) and just accept the 200 OK code as it comes HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos