Re: Client authentication with Kerberos ticket

From: Yves Martin <yves.martin_at_elca.ch>
Date: 2006-12-21 10:55:52 CET

On Thu, 2006-12-21 at 20:44 +1100, Samay wrote:
> GSSAPI (SPNego) is lot more secure thn Basic method when used over
> HTTP. As
> username/password never travels on the wire. Payload is in clear
> irrespective of the method. I fail to see logic to restrict
> SPNego/GSSAPI to
> HTTPS only!

I'm glad to here that.

On Thu, 2006-12-21 at 10:04 +0100, Steinar Bang wrote:
> >>>>> "D.J. Heap" <djheap@gmail.com>:
> Perhaps the reasoning is that when people wish to use a secure
> authentication method, they wish the entire traffic to be secure and
> should not be fooled to use an open transfer? (not a reasoning I would
> have made, but there you go) Or perhaps it is an artifact of the
> implementation? Ie. it was easier this way?

I think you're right. GSS code seems to re-use the SSL "context"...

For the moment, I configure https to get ticket authentication,
but I'm afraid of performance.

Regards

-- 
Yves Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Received on Thu Dec 21 10:56:45 2006

This message: [ Message body ]
Next message: jonah: "need advice on good subversion client for Mac os x"
Previous message: Samay: "Re: Client authentication with Kerberos ticket"
In reply to: Steinar Bang: "Re: Client authentication with Kerberos ticket"
Next in thread: Yves Martin: "Re: Client authentication with Kerberos ticket"
Reply: Yves Martin: "Re: Client authentication with Kerberos ticket"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]