Apache 2.0 on Fedora Core 1 and Kerberos Authentication with
mod_auth_kerb
Disclaimer for lawyers: Everything in this directory and in the whole
site which is written by Jan Labanowski, is total nonsense.
Do not trust anything what this guy wrote. Ask a competent lawyer
instead. They can help you for a fee.
Uncopyrighted by Jan Labanowski (jlabanow at nd edu) in March 2004.
My needs:
At ND, each person who works/studies here gets his/her NetID and
the Password. This enables people to access Andrews File System,
read mail, and access private ND Web pages. In may case, I do not need
to access any of the services provided for people who have NetID/Password.
I only need to restrict my Web pages, stored on a local Web Server,
to people with the valid Notre Dame NetID/Password.
Luckily, at Notre Dame they have Kerberos5 Server which can authenticate
people against NetID/Password database. While my machine is not in the
.nd.edu domain (it is: ndscience.org), it will be, however, used to
serve ND community.
The mod_auth_kerb module for Apache seems to be doing what I want
(and more, but I do not need more...). Unfortunately, the documentation,
which comes with the module leaves some things to trial and error,
so I decided to share my results with others. [Oh well... I did not
include my stupid errors, so I can look smart...].
Prerequisites
Went to: http://modauthkerb.sourceforge.net/index.html
and printed all the docs and downloaded the latest sources
(mod_auth_kerb-5.0-rc4.tar.gz).
Bought myself a book: Jason Garman -- "Kerberos -- The Definitive Guide"
from O'Reilly and read it until I started to understand why people hate
Kerberos.
I also read: http://www.cryptnet.net/fdp/crypto/kerby-infra.html
to be even more educated. This site contain other nice links at the bottom.
I have installed Fedora Core 1 Linux distro ( http://fedora.redhat.com/ )
[Everything!!!] and did all updates with yum
(http://linux.duke.edu/projects/yum)
up to March 27, 2004. The version of Apache after updates was: 2.0.48,
and my kernel was: 2.4.22-1.2174.nptl.
Testing Kerberos Installation
I needed to edit my /etc/krb5.conf file to put actual values suitable
for my environment, kindly provided by Matt Chrystal (matt at nd.edu)
who knows this stuff.
Some of the stuff (e.g., the [appdefaults]) is not needed in this
case, but is needed for other things on this machine. Of course,
you need to get your values from some /etc/krb5.conf file on the
machine where kerberos is running in your organization, or ask a guru,
like I did.
I first tried if kerberos works on this machine:
kinit jlabanow
Password for jkl@ccl.net: xxxxxxxx
and then did:
klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: jkl@ccl.net
Valid starting Expires Service principal
03/26/04 21:19:48 03/27/04 21:19:48 krbtgt/ND.EDU@ND.EDU
Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
So it seems to work. Then I did:
kdestroy
to clean after myself.
Configuring Apache
I configured my Apache to do Basic Authentication to make sure my
config files are OK. I also created Certifcates for Apache as follows:
cd /etc/httpd/conf
mkdir generic_certificates
mv ssl* generic_certificates
mkdir ssl.crt
mkdir ssl.csr
mkdir ssl.key
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
make certreq
It asked me for Country, State... etc. I entered NewLine for the
challenge password (so I do not have to enter password when Apache
starts up on boot-up). Remember to enter fully qualified machine
name when it asks for Common Name. In my case it was ndscience.org
Then I did:
make testcert
and entered the same information as above.
I edited the /etc/httpd/conf.d/ssl.conf file and put there
(just under <VirtualHost _default_:443>) the following
<Directory "/www/ndscience/html/https">
AllowOverride Limit AuthConfig Options
Options Includes Indexes FollowSymLinks MultiViews
Order allow,deny
Allow from all
</Directory>
<Directory "/www/ndscience/cgi/https">
AllowOverride Limit AuthConfig Options
Options ExecCGI
SSLOptions +StdEnvVars
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
This allows me to put the .htaccess file in the /www/ndscience/html/https
where I want to keep my restricted access files.
I cooked the following .htaccess for testing Basic Authentication
for this directory:
AuthUserFile /etc/httpd/auth/htpasswd-nd
AuthName "For Organizers only"
AuthType Basic
<Limit GET POST PUT>
require valid-user
</Limit>
In the /etc/httpd/auth/htpasswd-nd placed the "password file" for testing:
jkl:jkm6r12t172kw:password jkl
jlabanow:aauGrdl9BQoKg:password jlabanow
The passwords were created with a simple perl one-liner
(crypt takes password and "salt" as parameters -- the salt shows
as first two characters of the password):
perl -e 'print crypt("jlabanow", "aa"), "\n"'
Then, I restarted apache as:
/etc/rc.d/init.d/httpd restart
Now, I pointed my Mozilla browser at https://ndscience.org
and accepted the test certificate, and logged in. It worked.
Compiling and Installing mod_auth_kerb
Then I compiled/installed/configured the mod_auth_kerb module.
cd /root
mkdir mod_auth_kerb
cd mod_auth_kerb
mv /xxxx/mod_auth_kerb-5.0-rc4.tar.gz . (copied tgz retrieved earlier)
tar zxvf mod_auth_kerb-5.0-rc4.tar.gz
cd mod_auth_kerb-5.0-rc4
Educated myself reading a README file and did something else.
cd /root/mod_auth_kerb/mod_auth_kerb-5.0-rc4
./configure --with-krb4=no --with-apache2-apxs=/usr/sbin/apxs \
--with-krb5=/usr/kerberos --with-apache=/usr
make
make install
I also tried:
cd /root/mod_auth_kerb/mod_auth_kerb-5.0-rc4
./configure --with-krb4=no \
--with-krb5=/usr/kerberos --with-apache=/usr/lib/httpd/build
make
make install
which also seemed to work.
It spewed a lot of stuff but compiled.
It resulted in the mod_auth_kerb.so being copied to
/usr/lib/httpd/modules/ where Fedora Apache keeps its modules.
Then I added a line to /etc/httpd/conf/httpd.conf where LoadModules are:
LoadModule auth_kerb_module modules/mod_auth_kerb.so
I created a file /etc/httpd/auth/apache.keytab and made it readable
by all. It is a key entry for the module, and should contain a line
HTTP/your.web.server.name@YOUR_REALM
In my case it was:
HTTP/ndscience.org@ND.EDU
Then I created my .htaccess file under /www/ndscience/html/https
directory which looked like:
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate off
KrbAuthoritative on
KrbVerifyKDC off
KrbAuthRealm ND.EDU
Krb5Keytab /etc/httpd/auth/apache.keytab
KrbSaveCredentials off
<Limit GET POST>
require valid-user
</Limit>
I put the same into /etc/httpd/conf.d/ssl.conf under cgi directory:
<Directory "/www/ndscience/cgi/https">
AllowOverride Limit AuthConfig Options
Options ExecCGI
SSLOptions +StdEnvVars
AllowOverride None
Options None
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate off
KrbAuthoritative on
KrbVerifyKDC off
KrbAuthRealm ND.EDU
Krb5Keytab /etc/httpd/auth/apache.keytab
KrbSaveCredentials off
<Limit GET POST>
require valid-user
</Limit>
</Directory>
Then I pointed my Mozilla at https://ndscience.org and
https://ndscience.org/cgi-bin/test.cgi and authenticated
myself. What a joy!!!
I also wanted to check if I can have a directory where I can
only authorize a few people from ND, namely my team. I created
a directory /www/ndscience/html/https/scf-only and placed there
the following .htaccess file:
AuthType Kerberos
AuthName "Kerberos SCF Login"
KrbMethodNegotiate off
KrbAuthoritative on
KrbVerifyKDC off
KrbAuthRealm ND.EDU
Krb5Keytab /etc/httpd/auth/apache.keytab
KrbSaveCredentials off
<Limit GET POST>
require user user1@ND.EDU \
user2@ND.EDU \
user3@ND.EDU
</Limit>
I also tested cgi directory -- created /www/ndscience/cgi/https/scf-only,
placed there some simple script test.cgi and placed the following in the
/etc/httpd/conf.d/ssl.conf:
<Directory "/www/ndscience/cgi/https/scf-only">
AllowOverride Limit AuthConfig Options
Options ExecCGI
SSLOptions +StdEnvVars
AllowOverride None
Options None
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "Kerberos SCF Login"
KrbMethodNegotiate off
KrbAuthoritative on
KrbVerifyKDC off
KrbAuthRealm ND.EDU
Krb5Keytab /etc/httpd/auth/apache.keytab
KrbSaveCredentials off
<Limit GET POST>
require user user1@ND.EDU \
user2@ND.EDU \
user3@ND.EDU
</Limit>
</Directory>
Restarted Apache:
/etc/rc.d/init.d/httpd restart
killed my browser and opened it again.
And tried... And my wishes were granted... It seems to do what it should do.
I could (or could not, if not on the list of users) get into pages:
https://ndscience.org/
https://ndscience.org/scf-only
https://ndscience.org/cgi-bin/test.cgi
https://ndscience.org/cgi-bin/scf-only/test.cgi
and they showed what they were supposed to. Now I need to put something
useful there.
|