Home | History | Annotate | only in /sfw/usr/src/cmd/apache/mod_auth_gss
Up to higher level directory
NameDateSize
Makefile10-Nov-20091.5K
mod_auth_gss.c10-Nov-200917K
mod_auth_gss.html10-Nov-20096.9K
README10-Nov-20094.4K

README

      1 Instructions on testing the negotiateauth
      2 mozilla extension with Apache.
      3 
      4 Introduction
      5 -----------------
      6 mod_auth_gss (originally from http://modauthkerb.sourceforge.net/) is an 
      7 Apache module designed to provide GSSAPI authentication to the Apache 
      8 web server. Using the "Negotiate" Auth mechanism, which performs full 
      9 Kerberos authentication based on ticket exchanges and does not require 
     10 users to insert their passwords to the browser.  In order to use the
     11 Negotiate method you need a browser supporting it (currently standard IE6.0 or
     12 Mozilla with the negotiateauth extension). 
     13 
     14 The Negotiate mechanism can be only used with Kerberos v5. The module supports 
     15 both 1.x and 2.x versions of Apache.
     16 
     17 The use of SSL encryption is also recommended (but not required) if you are 
     18 using the Negotiate method.
     19 
     20 Installing mod_auth_gss
     21 ------------------------
     22 
     23 Prerequisites
     24 * Apache server installed.
     25   Both 1.x and 2.x series of Apache are supported (make sure the apache
     26   installation contains the apxs command)
     27   In Solaris - the necessary Apache libraries and headers are 
     28   usually found in /usr/apache.
     29 * Working C compiler.
     30 * GSSAPI library (Solaris - /usr/lib/libgss.so.1)
     31 
     32 1. Building the Apache module is simple.
     33    Find the directory with the source code and Makefile for
     34    mod_auth_gss.so.
     35    $ make
     36 
     37 2. Installing the Apache module requires 'root' privilege.
     38    # cp mod_auth_gss.so /usr/apache/libexec
     39 
     40 3. Configure apache to use the new module.
     41    Add following line to /etc/apache/httpd.conf:
     42    LoadModule	auth_gss_module	libexec/mod_auth_gss.so
     43 
     44 4. Set permissions on the newly created keytab file so that only the
     45    apache owner can read the file.  For example, if the apache server
     46    is configured to run as user "nobody":
     47 
     48    $ chown nobody /var/apache/http.keytab
     49    $ chmod 400 /var/apache/http.keytab
     50 
     51 5. Create a directory in the apache 'htdocs' tree that will be used
     52    to test the GSSAPI/KerberosV5 authentication.
     53    $ mkdir /var/apache/htdocs/krb5
     54 
     55 6. Create a ".htaccess" file for the Kerberos directory (step 4),
     56    it should contain the following entries:
     57 	AuthType GSSAPI
     58         Krb5Keytab /var/apache/http.keytab
     59         GssDebug 1
     60 
     61    * GssDebug is only needed for testing purposes, it causes extra
     62      DEBUG level messages to be displayed in the Apache error_log file
     63      (/var/apache/logs/error_log).
     64 
     65 7. Put some content in the Kerberos web directory so the tester can
     66    verify that they accessed the page correctly.
     67 
     68 8. Set the "AllowOverride" parameter in /etc/apache/httpd.conf
     69    to "All" for the Kerberos directory created in step 5.
     70 Ex:
     71 <Directory "/var/apache/htdocs/krb5">
     72     Options Indexes FollowSymLinks MultiViews
     73     AllowOverride All
     74     Order allow,deny
     75     Allow from all
     76 </Directory>
     77 
     78 
     79 Configurating Kerberos
     80 -----------------------
     81 
     82 1. Set up Kerberos Server (if you don't already have one).
     83    Follow basic instructions given at docs.sun.com.  Search for
     84    "Configuring Kerberos" in the 
     85    "Solaris Administration Guide: Security Services" book.
     86 
     87    - The KDC should be a protected, standalone system.  But for 
     88      internal testing purposes it may be hosted on the same system 
     89      as the Apache web server.
     90 
     91 2. Create a Kerberos service key for the Apache server to use for
     92    authenticating the clients.  Also create a user principal testing
     93    the browser later.
     94    The "Negotiate" method used by IIS and IE is "HTTP/<hostname>@REALM".
     95    To create this principal for use with the Apache module do the following:
     96    [ As 'root', on the Apache server ]
     97    a.  /usr/sbin/kadmin
     98       - this assumes the KDC setup procedure was followed (step 1).
     99    b. kadmin: addprinc -randkey HTTP/<fully_qualified_host_name>
    100    c. kadmin: ktadd -k /var/apache/http.keytab HTTP/<fully_qualified_host_name>
    101    d. kadmin: addprinc tester
    102    e. kadmin: quit
    103 
    104 Testing the 'Negotiate' plugin with mozilla:
    105 --------------------------------------------
    106 
    107 1.  The client system must be configured to use Kerberos.
    108     Setup /etc/krb5/krb5.conf to use the KDC created earlier
    109 
    110 2.  'kinit'  to get a TGT as the "tester" principal created
    111     above in step 2d.
    112     $ kinit tester
    113          ( enter password )
    114 
    115 3.  Use mozilla (with 'negotiateauth' extension installed)
    116     to access the Kerberos protected page (created above 
    117     in steps 4-6).
    118 
    119     If the pages do not show up, its probably due to
    120     a misconfigured Kerberos configuration on the client
    121     or the server (or both).  There is very little that
    122     needs to be done for Mozilla or apache.
    123