|
1 Instructions on testing the negotiateauth |
|
2 mozilla extension with Apache. |
|
3 |
|
4 Introduction |
|
5 ----------------- |
|
6 mod_auth_gss (originally from http://modauthkerb.sourceforge.net/) is an |
|
7 Apache module designed to provide GSSAPI authentication to the Apache |
|
8 web server. Using the "Negotiate" Auth mechanism, which performs full |
|
9 Kerberos authentication based on ticket exchanges and does not require |
|
10 users to insert their passwords to the browser. In order to use the |
|
11 Negotiate method you need a browser supporting it (currently standard IE6.0 or |
|
12 Mozilla with the negotiateauth extension). |
|
13 |
|
14 The Negotiate mechanism can be only used with Kerberos v5. The module supports |
|
15 both 1.x and 2.x versions of Apache. |
|
16 |
|
17 The use of SSL encryption is also recommended (but not required) if you are |
|
18 using the Negotiate method. |
|
19 |
|
20 Installing mod_auth_gss |
|
21 ------------------------ |
|
22 |
|
23 Prerequisites |
|
24 * Apache server installed. |
|
25 Both 1.x and 2.x series of Apache are supported (make sure the apache |
|
26 installation contains the apxs command) |
|
27 In Solaris - the necessary Apache 2.X libraries and headers are |
|
28 usually found in /usr/apache2. |
|
29 * Working C compiler. |
|
30 * GSSAPI library (Solaris - /usr/lib/libgss.so.1) |
|
31 |
|
32 1. Building the Apache module is simple. |
|
33 Find the directory with the source code and Makefile for |
|
34 mod_auth_gss.so. |
|
35 $ make |
|
36 |
|
37 2. Installing the Apache module requires 'root' privilege. |
|
38 # cp mod_auth_gss.so /usr/apache2/libexec |
|
39 |
|
40 3. Configure apache to use the new module. |
|
41 Add following line to /etc/apache2/httpd.conf: |
|
42 LoadModule auth_gss_module libexec/mod_auth_gss.so |
|
43 |
|
44 4. Set permissions on the newly created keytab file so that only the |
|
45 apache owner can read the file. For example, if the apache server |
|
46 is configured to run as user "nobody": |
|
47 |
|
48 $ chown nobody /var/apache2/http.keytab |
|
49 $ chmod 400 /var/apache2/http.keytab |
|
50 |
|
51 5. Create a directory in the apache 'htdocs' tree that will be used |
|
52 to test the GSSAPI/KerberosV5 authentication. |
|
53 $ mkdir /var/apache2/htdocs/krb5 |
|
54 |
|
55 6. Create a ".htaccess" file for the Kerberos directory (step 4), |
|
56 it should contain the following entries: |
|
57 AuthType GSSAPI |
|
58 AuthGSSServiceName HTTP |
|
59 AuthGSSKeytabFile /var/apache2/http.keytab |
|
60 AuthGssDebug 1 |
|
61 |
|
62 * AuthGssDebug is only needed for testing purposes, it causes extra |
|
63 DEBUG level messages to be displayed in the Apache error_log file |
|
64 (/var/apache2/logs/error_log). |
|
65 |
|
66 7. Put some content in the Kerberos web directory so the tester can |
|
67 verify that they accessed the page correctly. |
|
68 |
|
69 8. Set the "AllowOverride" parameter in /etc/apache2/httpd.conf |
|
70 to "All" for the Kerberos directory created in step 5. |
|
71 Ex: |
|
72 <Location "/var/apache2/htdocs/krb5"> |
|
73 Options Indexes FollowSymLinks MultiViews |
|
74 AllowOverride All |
|
75 Require valid-user |
|
76 </Location> |
|
77 |
|
78 Configurating Kerberos |
|
79 ----------------------- |
|
80 |
|
81 1. Set up Kerberos Server (if you don't already have one). |
|
82 Follow basic instructions given at docs.sun.com. Search for |
|
83 "Configuring Kerberos" in the |
|
84 "Solaris Administration Guide: Security Services" book. |
|
85 |
|
86 - The KDC should be a protected, standalone system. But for |
|
87 internal testing purposes it may be hosted on the same system |
|
88 as the Apache web server. |
|
89 |
|
90 2. Create a Kerberos service key for the Apache server to use for |
|
91 authenticating the clients. Also create a user principal testing |
|
92 the browser later. |
|
93 The "Negotiate" method used by IIS and IE is "HTTP/<hostname>@REALM". |
|
94 To create this principal for use with the Apache module do the following: |
|
95 [ As 'root', on the Apache server ] |
|
96 a. /usr/sbin/kadmin |
|
97 - this assumes the KDC setup procedure was followed (step 1). |
|
98 b. kadmin: addprinc -randkey HTTP/<fully_qualified_host_name> |
|
99 c. kadmin: ktadd -k /var/apache2/http.keytab HTTP/<fully_qualified_host_name> |
|
100 d. kadmin: addprinc tester |
|
101 e. kadmin: quit |
|
102 |
|
103 Testing the 'Negotiate' plugin with mozilla: |
|
104 -------------------------------------------- |
|
105 |
|
106 1. The client system must be configured to use Kerberos. |
|
107 Setup /etc/krb5/krb5.conf to use the KDC created earlier |
|
108 |
|
109 2. 'kinit' to get a TGT as the "tester" principal created |
|
110 above in step 2d. |
|
111 $ kinit tester |
|
112 ( enter password ) |
|
113 |
|
114 3. Use mozilla (with 'negotiateauth' extension installed) |
|
115 to access the Kerberos protected page (created above |
|
116 in steps 4-6). |
|
117 |
|
118 If the pages do not show up, its probably due to |
|
119 a misconfigured Kerberos configuration on the client |
|
120 or the server (or both). There is very little that |
|
121 needs to be done for Mozilla or apache. |
|
122 |