Date: Mon, 10 Nov 2008 22:53:41 +1000 From: Da Rock <rock_on_the_web@comcen.com.au> To: freebsd-questions@freebsd.org Subject: Re: Kerberos keytab Message-ID: <1226321621.1220.74.camel@laptop1.herveybayaustralia.com.au> In-Reply-To: <0edc01c9432e$720b9c90$5622d5b0$@com> References: <0edc01c9432e$720b9c90$5622d5b0$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2008-11-10 at 07:18 -0500, Ansar Mohammed wrote: > Does anyone know what is the actual purpose of the Kerberos krb5.keytab > file? > > > > I have a freebsd 7 configured to authenticate users via Kerberos (both > apache and ssh). > > > > Although the authentication between apache and browser is still basic and > between the ssh client and server is still keyboard interactive. FreeBSD > validates the account in the background using Kerberos to AD. Actually from my understanding (which may very well be basic, but I have done some very extensive research) browser auth with kerberos and apache may be possible on firefox 2 and IE6. The older browsers are a dead loss, but it will fallback gracefully I've read. One thing that makes this possible is navigating to about:config in firefox and updating negotiate uri's. In IE6 you don't need to do anything, but that does increase the security risk (ergo the firefox method of negotiate). The keytab file (again, only from my understanding) contains the current keys in use mapped to the users. These change as per the kerberos ttl settings for tickets. Check the kerberos site for further, more accurate info, and run a google search for browser kerberos auth with apache. You do need the right module for apache to achieve this though- mod_auth_kerb. Some only offer a link between apache and kdc with base64 encryption. I'm pretty sure of my facts here, but I'll appreciate a correction of my comments.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1226321621.1220.74.camel>