Home | History | Annotate | only in /sfw/usr/src/cmd/apache2/mod_auth_gss
Up to higher level directory
NameDateSize
Makefile10-Nov-20091.8K
mod_auth_gss.c10-Nov-200917K
mod_auth_gss.html10-Nov-20096.9K
README10-Nov-20094.4K

README

      1 Instructions on testing the negotiateauth
      2 mozilla extension with Apache.
      3 
      4 Introduction
      5 -----------------
      6 mod_auth_gss (originally from http://modauthkerb.sourceforge.net/) is an 
      7 Apache module designed to provide GSSAPI authentication to the Apache 
      8 web server. Using the "Negotiate" Auth mechanism, which performs full 
      9 Kerberos authentication based on ticket exchanges and does not require 
     10 users to insert their passwords to the browser.  In order to use the
     11 Negotiate method you need a browser supporting it (currently standard IE6.0 or
     12 Mozilla with the negotiateauth extension). 
     13 
     14 The Negotiate mechanism can be only used with Kerberos v5. The module supports 
     15 both 1.x and 2.x versions of Apache.
     16 
     17 The use of SSL encryption is also recommended (but not required) if you are 
     18 using the Negotiate method.
     19 
     20 Installing mod_auth_gss
     21 ------------------------
     22 
     23 Prerequisites
     24 * Apache server installed.
     25   Both 1.x and 2.x series of Apache are supported (make sure the apache
     26   installation contains the apxs command)
     27   In Solaris - the necessary Apache 2.X libraries and headers are 
     28   usually found in /usr/apache2.
     29 * Working C compiler.
     30 * GSSAPI library (Solaris - /usr/lib/libgss.so.1)
     31 
     32 1. Building the Apache module is simple.
     33    Find the directory with the source code and Makefile for
     34    mod_auth_gss.so.
     35    $ make
     36 
     37 2. Installing the Apache module requires 'root' privilege.
     38    # cp mod_auth_gss.so /usr/apache2/libexec
     39 
     40 3. Configure apache to use the new module.
     41    Add following line to /etc/apache2/httpd.conf:
     42    LoadModule	auth_gss_module	libexec/mod_auth_gss.so
     43 
     44 4. Set permissions on the newly created keytab file so that only the
     45    apache owner can read the file.  For example, if the apache server
     46    is configured to run as user "nobody":
     47 
     48    $ chown nobody /var/apache2/http.keytab
     49    $ chmod 400 /var/apache2/http.keytab
     50 
     51 5. Create a directory in the apache 'htdocs' tree that will be used
     52    to test the GSSAPI/KerberosV5 authentication.
     53    $ mkdir /var/apache2/htdocs/krb5
     54 
     55 6. Create a ".htaccess" file for the Kerberos directory (step 4),
     56    it should contain the following entries:
     57 	AuthType GSSAPI
     58 	AuthGSSServiceName HTTP
     59         AuthGSSKeytabFile /var/apache2/http.keytab
     60         AuthGssDebug 1
     61 
     62    * AuthGssDebug is only needed for testing purposes, it causes extra
     63      DEBUG level messages to be displayed in the Apache error_log file
     64      (/var/apache2/logs/error_log).
     65 
     66 7. Put some content in the Kerberos web directory so the tester can
     67    verify that they accessed the page correctly.
     68 
     69 8. Set the "AllowOverride" parameter in /etc/apache2/httpd.conf
     70    to "All" for the Kerberos directory created in step 5.
     71 Ex:
     72 <Location "/var/apache2/htdocs/krb5">
     73     Options Indexes FollowSymLinks MultiViews
     74     AllowOverride All
     75     Require valid-user
     76 </Location>
     77 
     78 Configurating Kerberos
     79 -----------------------
     80 
     81 1. Set up Kerberos Server (if you don't already have one).
     82    Follow basic instructions given at docs.sun.com.  Search for
     83    "Configuring Kerberos" in the 
     84    "Solaris Administration Guide: Security Services" book.
     85 
     86    - The KDC should be a protected, standalone system.  But for 
     87      internal testing purposes it may be hosted on the same system 
     88      as the Apache web server.
     89 
     90 2. Create a Kerberos service key for the Apache server to use for
     91    authenticating the clients.  Also create a user principal testing
     92    the browser later.
     93    The "Negotiate" method used by IIS and IE is "HTTP/<hostname>@REALM".
     94    To create this principal for use with the Apache module do the following:
     95    [ As 'root', on the Apache server ]
     96    a.  /usr/sbin/kadmin
     97       - this assumes the KDC setup procedure was followed (step 1).
     98    b. kadmin: addprinc -randkey HTTP/<fully_qualified_host_name>
     99    c. kadmin: ktadd -k /var/apache2/http.keytab HTTP/<fully_qualified_host_name>
    100    d. kadmin: addprinc tester
    101    e. kadmin: quit
    102 
    103 Testing the 'Negotiate' plugin with mozilla:
    104 --------------------------------------------
    105 
    106 1.  The client system must be configured to use Kerberos.
    107     Setup /etc/krb5/krb5.conf to use the KDC created earlier
    108 
    109 2.  'kinit'  to get a TGT as the "tester" principal created
    110     above in step 2d.
    111     $ kinit tester
    112          ( enter password )
    113 
    114 3.  Use mozilla (with 'negotiateauth' extension installed)
    115     to access the Kerberos protected page (created above 
    116     in steps 4-6).
    117 
    118     If the pages do not show up, its probably due to
    119     a misconfigured Kerberos configuration on the client
    120     or the server (or both).  There is very little that
    121     needs to be done for Mozilla or apache.
    122 
    123