Mod_auth_kerb is an Apache module designed to provide Kerberos authentication
to the Apache web server. Using the Basic Auth mechanism, it retrieves a
username/password pair from the browser and checks them against a Kerberos server.
Mod_auth_kerb also supports the Negotiate
authentication method, which performs full Kerberos authentication based on certificate
exchanges, and does not require users to insert their passwords to the browser.
In order to use the Negotiate method you need a browser supporting it (currently
standard IE6.0 or Mozilla with the Negotiateauth extension).
Negotiateauth is a plugin for Mozilla-based browsers supporting the HTTP Negotiate
authentication method. This adds support for the Kerberos mechanism and uses Kerberos
certificates for authentication instead of passwords so the users' Kerberos passwords will
no longer be transfered to the web server.
Mod_auth_kerb supports both kerberos4 and kerberos5 protocols for password verification.
The Negotiate mechanism can be only used with Kerberos v5. It supports
both 1.x and 2.x versions of Apache.
If you are using the Basic Auth mechanism, the module does not do any special
encryption of any sort. The passing of the username and password is done with
the same Base64 encoding that Basic Auth uses. This can easily be converted to
plain text. It is recommended that mod_ssl or Apache-SSL be used. The use of SSL encryption
is also recommended if you are using the Negotiate method.