1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" |
|
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
|
3 |
|
4 <html xmlns="http://www.w3.org/1999/xhtml"> |
|
5 <head> |
|
6 <meta name="generator" content="HTML Tidy, see www.w3.org" /> |
|
7 |
|
8 <title>Apache module mod_auth_gss</title> |
|
9 </head> |
|
10 <!-- Background white, links blue (unvisited), navy (visited), red (active) --> |
|
11 |
|
12 <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" |
|
13 vlink="#000080" alink="#FF0000"> |
|
14 <div align="CENTER"> |
|
15 <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> |
|
16 |
|
17 <h3>Apache HTTP Server Version 1.3</h3> |
|
18 </div> |
|
19 |
|
20 <h1 align="CENTER">Module mod_auth_gss</h1> |
|
21 <p>This module provides for user authentication using GSSAPI Authentication.</p> |
|
22 |
|
23 <p><a href="module-dict.html#Status" |
|
24 rel="Help"><strong>Status:</strong></a> Extension<br /> |
|
25 <a href="module-dict.html#SourceFile" |
|
26 rel="Help"><strong>Source File:</strong></a> mod_auth_gss.c<br /> |
|
27 <a href="module-dict.html#ModuleIdentifier" |
|
28 rel="Help"><strong>Module Identifier:</strong></a> |
|
29 auth_gss_module<br /> |
|
30 |
|
31 <h2>Summary</h2> |
|
32 |
|
33 <p>This module implements GSSAPI authentication using the |
|
34 "WWW-Authenticate: Negotiate" protocol. This typically |
|
35 requires the client and the server systems to have support for |
|
36 GSSAPI and a properly configured security mechanism (usually |
|
37 Kerberos V5) to be used by GSSAPI. |
|
38 |
|
39 <h2>Directives</h2> |
|
40 |
|
41 <ul> |
|
42 <li><a href="#authgssservicename">AuthGSSServiceName</a></li> |
|
43 <li><a href="#authgsskeytabfile">AuthGSSKeytabFile</a></li> |
|
44 <li><a href="#aughgssdebug">AuthGSSDebug</a></li> |
|
45 </ul> |
|
46 |
|
47 <h2>Using GSSAPI Authentication</h2> |
|
48 |
|
49 <p>Before using GSSAPI authentication with Apache, the |
|
50 system must already have been configured to use Kerberos V5 |
|
51 authentication. All of the major Kerberos V5 |
|
52 implementation (MIT KRB5, Heimdal, Sun, IBM, HP, Microsoft) |
|
53 currently support Kerberos V5 GSSAPI mechanisms. |
|
54 Configuring Kerberos is beyond the scope of this document. |
|
55 Adding GSSAPI authentication support to the web extends |
|
56 Single sign on capabilities to the intranet and reduces |
|
57 the risks involved in having users constantly entering |
|
58 username/password combinations when accessing websites. |
|
59 <p> |
|
60 <h3>Configure a Service Principal</h3> |
|
61 <p>The default service principal that mod_auth_gss will |
|
62 try to use is "HTTP/f.q.d.n". The key for this principal |
|
63 must be stored in a keytab file that is readable by the |
|
64 Apache server, but it should be protected from access |
|
65 by anyone else, and should <b>definitely not</b> be |
|
66 stored in an area that can be browsed by clients. |
|
67 <p> |
|
68 Example: the Apache server is on host "www.foo.com". |
|
69 Create a principal called "HTTP/www.foo.com". |
|
70 Store the key for this principal in a protected keytab |
|
71 file. Using MIT Kerberos V5: |
|
72 <br> |
|
73 <pre> |
|
74 $ kadmin |
|
75 $ kadmin> ktadd -k /var/apache/http.keytab HTTP/www.foo.com |
|
76 $ kadmin> quit |
|
77 </pre> |
|
78 |
|
79 <p>Once the keys are created and stored, using GSSAPI |
|
80 authentication is very simple. Set up the authentication |
|
81 type for the directories being protected to be "GSSAPI". |
|
82 If the keytab or service name chosen is not the defaults |
|
83 ("HTTP" and "/var/apache/http.keytab", respectively), then |
|
84 you may use the above mentioned directives to override |
|
85 the default values. Example: |
|
86 <br> |
|
87 <pre> |
|
88 <Directory /var/apache/htdocs/krb5> |
|
89 AuthType GSSAPI |
|
90 ServiceName HTTP |
|
91 KeytabFile /var/apache/http.keytab |
|
92 GssDebug 0 |
|
93 Require valid-user |
|
94 AllowOverride All |
|
95 </Directory> |
|
96 </pre> |
|
97 |
|
98 <p>GSSAPI authentication provides a more secure authentication |
|
99 system, but only works with supporting browsers. As of this writing |
|
100 (April 2004), the only major browsers which support digest |
|
101 authentication are <a href="http://www.mozilla.org">Mozilla 1.7 |
|
102 (and later)</a>, and <a href="http://www.microsoft.com/windows/ie/">MS Internet |
|
103 Explorer 5.0</a>. |
|
104 |
|
105 <p>It is recommended that this authentication method be combined |
|
106 with TLS security (mod_ssl, for example) to further secure the |
|
107 authentication data being exchanged. |
|
108 |
|
109 <h2><a id="authgssservicename" |
|
110 name="authgssservicename">AuthGSSServiceName</a> directive</h2> |
|
111 <a href="directive-dict.html#Syntax" |
|
112 rel="Help"><strong>Syntax:</strong></a> AuthGSSServiceName |
|
113 <em>name</em><br /> |
|
114 <a href="directive-dict.html#Context" |
|
115 rel="Help"><strong>Context:</strong></a> directory, |
|
116 .htaccess<br /> |
|
117 <a href="directive-dict.html#Override" |
|
118 rel="Help"><strong>Override:</strong></a> FileInfo, Indexes, Limit, Options<br /> |
|
119 <a href="directive-dict.html#Status" |
|
120 rel="Help"><strong>Status:</strong></a> Extension<br /> |
|
121 <a href="directive-dict.html#Module" |
|
122 rel="Help"><strong>Module:</strong></a> mod_auth_gss |
|
123 |
|
124 <p>The AuthGSSServiceName directive sets the name of Kerberos service |
|
125 principal that the server uses to authenticate the client requests. |
|
126 The name given is appended with the fully qualified host name to |
|
127 make the complete service principal name. Ex: <b>HTTP/www.fooc.om</b> |
|
128 </p> |
|
129 |
|
130 <h2><a id="authgsskeytabfile" |
|
131 name="authgsskeytabfile">AuthGSSKeytabFile</a> directive</h2> |
|
132 <a href="directive-dict.html#Syntax" |
|
133 rel="Help"><strong>Syntax:</strong></a> AuthGSSKeytabFile |
|
134 <em>filename</em><br /> |
|
135 <a href="directive-dict.html#Context" |
|
136 rel="Help"><strong>Context:</strong></a> directory, |
|
137 .htaccess<br /> |
|
138 <a href="directive-dict.html#Override" |
|
139 rel="Help"><strong>Override:</strong></a> FileInfo, Indexes, Limit, Options<br /> |
|
140 <a href="directive-dict.html#Status" |
|
141 rel="Help"><strong>Status:</strong></a> Extension<br /> |
|
142 <a href="directive-dict.html#Module" |
|
143 rel="Help"><strong>Module:</strong></a> mod_auth_gss |
|
144 |
|
145 <p>The AuthGSSKeytabFile directive sets the filename of the |
|
146 file where the Apache server's Kerberos credentials are stored. |
|
147 |
|
148 <h2><a id="authgssdebug" |
|
149 name="authgsskeytabfile">AuthGSSDebug</a> directive</h2> |
|
150 <a href="directive-dict.html#Syntax" |
|
151 rel="Help"><strong>Syntax:</strong></a> AuthGSSDebug |
|
152 <em>0 | 1</em><br /> |
|
153 <a href="directive-dict.html#Context" |
|
154 rel="Help"><strong>Context:</strong></a> directory, |
|
155 .htaccess<br /> |
|
156 <a href="directive-dict.html#Override" |
|
157 rel="Help"><strong>Override:</strong></a> FileInfo, Indexes, Limit, Options<br /> |
|
158 <a href="directive-dict.html#Status" |
|
159 rel="Help"><strong>Status:</strong></a> Extension<br /> |
|
160 <a href="directive-dict.html#Module" |
|
161 rel="Help"><strong>Module:</strong></a> mod_auth_gss |
|
162 |
|
163 <p>The AuthGSSDebug directive toggles the debug logging |
|
164 facility used by the GSSAPI authentication module. 0 disables |
|
165 debug logging, 1 enables it. |
|
166 |
|
167 <hr /> |
|
168 <h3 align="CENTER">Apache HTTP Server Version 1.3</h3> |
|
169 <a href="./"><img src="../images/index.gif" alt="Index" /></a> |
|
170 <a href="../"><img src="../images/home.gif" alt="Home" /></a> |
|
171 |
|
172 </body> |
|
173 </html> |
|
174 |
|