Kerberizing Mosaic/httpd

Purpose:

• Allow mutual authentication between Web client and server

• Server can use client authentication for access control

• Allow for encryption of client request and server response (optional)

• Kerberos info carried inband, with minimal extension of HTTP

How does this work? -- Protocol example

What does it look like?

Status:

• NCSA httpd 1.5 supports Kerberos V4, V5 auth

• Same for XMosaic 2.7 -- Mac, Windows Mosaic support upcomming

• EINet uses Kerberos for auth in their clients, servers (different implementation)

• DES encryption of message using Krb session key is under development