0
|
1 |
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
2 |
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
3 |
|
|
4 |
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
5 |
<head>
|
|
6 |
<meta name="generator" content="HTML Tidy, see www.w3.org" />
|
|
7 |
|
|
8 |
<title>Apache module mod_auth_gss</title>
|
|
9 |
</head>
|
|
10 |
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
|
|
11 |
|
|
12 |
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
|
|
13 |
vlink="#000080" alink="#FF0000">
|
|
14 |
<div align="CENTER">
|
|
15 |
<img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
|
|
16 |
|
|
17 |
<h3>Apache HTTP Server Version 1.3</h3>
|
|
18 |
</div>
|
|
19 |
|
|
20 |
<h1 align="CENTER">Module mod_auth_gss</h1>
|
|
21 |
<p>This module provides for user authentication using GSSAPI Authentication.</p>
|
|
22 |
|
|
23 |
<p><a href="module-dict.html#Status"
|
|
24 |
rel="Help"><strong>Status:</strong></a> Extension<br />
|
|
25 |
<a href="module-dict.html#SourceFile"
|
|
26 |
rel="Help"><strong>Source File:</strong></a> mod_auth_gss.c<br />
|
|
27 |
<a href="module-dict.html#ModuleIdentifier"
|
|
28 |
rel="Help"><strong>Module Identifier:</strong></a>
|
|
29 |
auth_gss_module<br />
|
|
30 |
|
|
31 |
<h2>Summary</h2>
|
|
32 |
|
|
33 |
<p>This module implements GSSAPI authentication using the
|
|
34 |
"WWW-Authenticate: Negotiate" protocol. This typically
|
|
35 |
requires the client and the server systems to have support for
|
|
36 |
GSSAPI and a properly configured security mechanism (usually
|
|
37 |
Kerberos V5) to be used by GSSAPI.
|
|
38 |
|
|
39 |
<h2>Directives</h2>
|
|
40 |
|
|
41 |
<ul>
|
|
42 |
<li><a href="#authgssservicename">AuthGSSServiceName</a></li>
|
|
43 |
<li><a href="#authgsskeytabfile">AuthGSSKeytabFile</a></li>
|
|
44 |
<li><a href="#aughgssdebug">AuthGSSDebug</a></li>
|
|
45 |
</ul>
|
|
46 |
|
|
47 |
<h2>Using GSSAPI Authentication</h2>
|
|
48 |
|
|
49 |
<p>Before using GSSAPI authentication with Apache, the
|
|
50 |
system must already have been configured to use Kerberos V5
|
|
51 |
authentication. All of the major Kerberos V5
|
|
52 |
implementation (MIT KRB5, Heimdal, Sun, IBM, HP, Microsoft)
|
|
53 |
currently support Kerberos V5 GSSAPI mechanisms.
|
|
54 |
Configuring Kerberos is beyond the scope of this document.
|
|
55 |
Adding GSSAPI authentication support to the web extends
|
|
56 |
Single sign on capabilities to the intranet and reduces
|
|
57 |
the risks involved in having users constantly entering
|
|
58 |
username/password combinations when accessing websites.
|
|
59 |
<p>
|
|
60 |
<h3>Configure a Service Principal</h3>
|
|
61 |
<p>The default service principal that mod_auth_gss will
|
|
62 |
try to use is "HTTP/f.q.d.n". The key for this principal
|
|
63 |
must be stored in a keytab file that is readable by the
|
|
64 |
Apache server, but it should be protected from access
|
|
65 |
by anyone else, and should <b>definitely not</b> be
|
|
66 |
stored in an area that can be browsed by clients.
|
|
67 |
<p>
|
|
68 |
Example: the Apache server is on host "www.foo.com".
|
|
69 |
Create a principal called "HTTP/www.foo.com".
|
|
70 |
Store the key for this principal in a protected keytab
|
|
71 |
file. Using MIT Kerberos V5:
|
|
72 |
<br>
|
|
73 |
<pre>
|
|
74 |
$ kadmin
|
|
75 |
$ kadmin> ktadd -k /var/apache/http.keytab HTTP/www.foo.com
|
|
76 |
$ kadmin> quit
|
|
77 |
</pre>
|
|
78 |
|
|
79 |
<p>Once the keys are created and stored, using GSSAPI
|
|
80 |
authentication is very simple. Set up the authentication
|
|
81 |
type for the directories being protected to be "GSSAPI".
|
|
82 |
If the keytab or service name chosen is not the defaults
|
|
83 |
("HTTP" and "/var/apache/http.keytab", respectively), then
|
|
84 |
you may use the above mentioned directives to override
|
|
85 |
the default values. Example:
|
|
86 |
<br>
|
|
87 |
<pre>
|
|
88 |
<Directory /var/apache/htdocs/krb5>
|
|
89 |
AuthType GSSAPI
|
|
90 |
ServiceName HTTP
|
|
91 |
KeytabFile /var/apache/http.keytab
|
|
92 |
GssDebug 0
|
|
93 |
Require valid-user
|
|
94 |
AllowOverride All
|
|
95 |
</Directory>
|
|
96 |
</pre>
|
|
97 |
|
|
98 |
<p>GSSAPI authentication provides a more secure authentication
|
|
99 |
system, but only works with supporting browsers. As of this writing
|
|
100 |
(April 2004), the only major browsers which support digest
|
|
101 |
authentication are <a href="http://www.mozilla.org">Mozilla 1.7
|
|
102 |
(and later)</a>, and <a href="http://www.microsoft.com/windows/ie/">MS Internet
|
|
103 |
Explorer 5.0</a>.
|
|
104 |
|
|
105 |
<p>It is recommended that this authentication method be combined
|
|
106 |
with TLS security (mod_ssl, for example) to further secure the
|
|
107 |
authentication data being exchanged.
|
|
108 |
|
|
109 |
<h2><a id="authgssservicename"
|
|
110 |
name="authgssservicename">AuthGSSServiceName</a> directive</h2>
|
|
111 |
<a href="directive-dict.html#Syntax"
|
|
112 |
rel="Help"><strong>Syntax:</strong></a> AuthGSSServiceName
|
|
113 |
<em>name</em><br />
|
|
114 |
<a href="directive-dict.html#Context"
|
|
115 |
rel="Help"><strong>Context:</strong></a> directory,
|
|
116 |
.htaccess<br />
|
|
117 |
<a href="directive-dict.html#Override"
|
|
118 |
rel="Help"><strong>Override:</strong></a> FileInfo, Indexes, Limit, Options<br />
|
|
119 |
<a href="directive-dict.html#Status"
|
|
120 |
rel="Help"><strong>Status:</strong></a> Extension<br />
|
|
121 |
<a href="directive-dict.html#Module"
|
|
122 |
rel="Help"><strong>Module:</strong></a> mod_auth_gss
|
|
123 |
|
|
124 |
<p>The AuthGSSServiceName directive sets the name of Kerberos service
|
|
125 |
principal that the server uses to authenticate the client requests.
|
|
126 |
The name given is appended with the fully qualified host name to
|
|
127 |
make the complete service principal name. Ex: <b>HTTP/www.fooc.om</b>
|
|
128 |
</p>
|
|
129 |
|
|
130 |
<h2><a id="authgsskeytabfile"
|
|
131 |
name="authgsskeytabfile">AuthGSSKeytabFile</a> directive</h2>
|
|
132 |
<a href="directive-dict.html#Syntax"
|
|
133 |
rel="Help"><strong>Syntax:</strong></a> AuthGSSKeytabFile
|
|
134 |
<em>filename</em><br />
|
|
135 |
<a href="directive-dict.html#Context"
|
|
136 |
rel="Help"><strong>Context:</strong></a> directory,
|
|
137 |
.htaccess<br />
|
|
138 |
<a href="directive-dict.html#Override"
|
|
139 |
rel="Help"><strong>Override:</strong></a> FileInfo, Indexes, Limit, Options<br />
|
|
140 |
<a href="directive-dict.html#Status"
|
|
141 |
rel="Help"><strong>Status:</strong></a> Extension<br />
|
|
142 |
<a href="directive-dict.html#Module"
|
|
143 |
rel="Help"><strong>Module:</strong></a> mod_auth_gss
|
|
144 |
|
|
145 |
<p>The AuthGSSKeytabFile directive sets the filename of the
|
|
146 |
file where the Apache server's Kerberos credentials are stored.
|
|
147 |
|
|
148 |
<h2><a id="authgssdebug"
|
|
149 |
name="authgsskeytabfile">AuthGSSDebug</a> directive</h2>
|
|
150 |
<a href="directive-dict.html#Syntax"
|
|
151 |
rel="Help"><strong>Syntax:</strong></a> AuthGSSDebug
|
|
152 |
<em>0 | 1</em><br />
|
|
153 |
<a href="directive-dict.html#Context"
|
|
154 |
rel="Help"><strong>Context:</strong></a> directory,
|
|
155 |
.htaccess<br />
|
|
156 |
<a href="directive-dict.html#Override"
|
|
157 |
rel="Help"><strong>Override:</strong></a> FileInfo, Indexes, Limit, Options<br />
|
|
158 |
<a href="directive-dict.html#Status"
|
|
159 |
rel="Help"><strong>Status:</strong></a> Extension<br />
|
|
160 |
<a href="directive-dict.html#Module"
|
|
161 |
rel="Help"><strong>Module:</strong></a> mod_auth_gss
|
|
162 |
|
|
163 |
<p>The AuthGSSDebug directive toggles the debug logging
|
|
164 |
facility used by the GSSAPI authentication module. 0 disables
|
|
165 |
debug logging, 1 enables it.
|
|
166 |
|
|
167 |
<hr />
|
|
168 |
<h3 align="CENTER">Apache HTTP Server Version 1.3</h3>
|
|
169 |
<a href="./"><img src="../images/index.gif" alt="Index" /></a>
|
|
170 |
<a href="../"><img src="../images/home.gif" alt="Home" /></a>
|
|
171 |
|
|
172 |
</body>
|
|
173 |
</html>
|
|
174 |
|