CCL Home Page
Up Directory CCL Kerberos and Apache 2.0

Apache 2.0 on Fedora Core 1 and Kerberos Authentication with mod_auth_kerb


Disclaimer for lawyers: Everything in this directory and in the whole site which is written by Jan Labanowski, is total nonsense. Do not trust anything what this guy wrote. Ask a competent lawyer instead. They can help you for a fee.
 
Uncopyrighted by Jan Labanowski (jlabanow at nd edu) in March 2004.

My needs:

At ND, each person who works/studies here gets his/her NetID and
the Password. This enables people to access Andrews File System,
read mail, and access private ND Web pages. In may case, I do not need
to access any of the services provided for people who have NetID/Password.
I only need to restrict my Web pages, stored on a local Web Server,
to people with the valid Notre Dame NetID/Password. 
Luckily, at Notre Dame they have Kerberos5 Server which can authenticate
people against NetID/Password database. While my machine is not in the
.nd.edu domain (it is: ndscience.org), it will be, however, used to 
serve ND community.

The mod_auth_kerb module for Apache seems to be doing what I want
(and more, but I do not need more...). Unfortunately, the documentation,
which comes with the module leaves some things to trial and error,
so I decided to share my results with others. [Oh well... I did not
include my stupid errors, so I can look smart...].

Prerequisites

Went to: http://modauthkerb.sourceforge.net/index.html
and printed all the docs and downloaded the latest sources
(mod_auth_kerb-5.0-rc4.tar.gz).

Bought myself a book: Jason Garman -- "Kerberos -- The Definitive Guide"
from O'Reilly and read it until I started to understand why people hate
Kerberos.

I also read: http://www.cryptnet.net/fdp/crypto/kerby-infra.html
to be even more educated. This site contain other nice links at the bottom.

I have installed Fedora Core 1 Linux distro ( http://fedora.redhat.com/ )
[Everything!!!] and did all updates with yum 
(http://linux.duke.edu/projects/yum)
up to March 27, 2004. The version of Apache after updates was: 2.0.48,
and my kernel was: 2.4.22-1.2174.nptl.

Testing Kerberos Installation

I needed to edit my /etc/krb5.conf file to put actual values suitable
for my environment, kindly provided by Matt Chrystal (matt at nd.edu)
who knows this stuff.

Some of the stuff (e.g., the [appdefaults]) is not needed in this 
case, but is needed for other things on this machine. Of course, 
you need to get your values from some /etc/krb5.conf file on the 
machine where kerberos is running in your organization, or ask a guru,
like I did.

I first tried if kerberos works on this machine:

kinit jlabanow
Password for jkl@ccl.net: xxxxxxxx

and then did:

klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: jkl@ccl.net

Valid starting     Expires            Service principal
03/26/04 21:19:48  03/27/04 21:19:48  krbtgt/ND.EDU@ND.EDU

Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

So it seems to work. Then I did:

kdestroy

to clean after myself.

Configuring Apache

I configured my Apache to do Basic Authentication to make sure my
config files are OK. I also created Certifcates for Apache as follows:

cd /etc/httpd/conf
mkdir generic_certificates
mv ssl* generic_certificates
mkdir ssl.crt
mkdir ssl.csr
mkdir ssl.key
/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key
make certreq

It asked me for Country, State... etc. I entered NewLine for the
challenge password (so I do not have to enter password when Apache
starts up on boot-up). Remember to enter fully qualified machine
name when it asks for Common Name. In my case it was ndscience.org

Then I did:

make testcert

and entered the same information as above.

I edited the /etc/httpd/conf.d/ssl.conf file and put there
(just under <VirtualHost _default_:443>) the following


<Directory "/www/ndscience/html/https">
   AllowOverride Limit AuthConfig Options
   Options Includes Indexes FollowSymLinks MultiViews
   Order allow,deny
   Allow from all
</Directory>

<Directory "/www/ndscience/cgi/https">
    AllowOverride Limit AuthConfig Options
    Options ExecCGI
    SSLOptions +StdEnvVars
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>


This allows me to put the .htaccess file in the /www/ndscience/html/https
where I want to keep my restricted access files.

I cooked the following .htaccess for testing Basic Authentication
for this directory:

AuthUserFile /etc/httpd/auth/htpasswd-nd
AuthName "For Organizers only"
AuthType Basic

<Limit GET POST PUT>
require valid-user
</Limit>


In the /etc/httpd/auth/htpasswd-nd placed the  "password file" for testing:


jkl:jkm6r12t172kw:password jkl
jlabanow:aauGrdl9BQoKg:password jlabanow


The passwords were created with a simple perl one-liner 
(crypt takes password and "salt" as parameters -- the salt shows
as first two characters of the password):
perl -e 'print crypt("jlabanow", "aa"), "\n"'

Then, I restarted apache as:
/etc/rc.d/init.d/httpd restart

Now, I pointed my Mozilla browser at https://ndscience.org
and accepted the test certificate, and logged in. It worked.

Compiling and Installing mod_auth_kerb

Then I compiled/installed/configured the mod_auth_kerb module.

cd /root
mkdir mod_auth_kerb
cd mod_auth_kerb
mv /xxxx/mod_auth_kerb-5.0-rc4.tar.gz .  (copied tgz retrieved earlier)
tar zxvf mod_auth_kerb-5.0-rc4.tar.gz
cd mod_auth_kerb-5.0-rc4


Educated myself reading a README file and did something else.

cd /root/mod_auth_kerb/mod_auth_kerb-5.0-rc4
./configure --with-krb4=no --with-apache2-apxs=/usr/sbin/apxs \
       --with-krb5=/usr/kerberos --with-apache=/usr

make
make install


I also tried:

cd /root/mod_auth_kerb/mod_auth_kerb-5.0-rc4
./configure --with-krb4=no \
       --with-krb5=/usr/kerberos --with-apache=/usr/lib/httpd/build
make
make install


which also seemed to work.


It spewed a lot of stuff but compiled.
It resulted in the mod_auth_kerb.so being copied to
/usr/lib/httpd/modules/ where Fedora Apache keeps its modules.

Then I added a line to /etc/httpd/conf/httpd.conf where LoadModules are:

LoadModule auth_kerb_module   modules/mod_auth_kerb.so

I created a file /etc/httpd/auth/apache.keytab and made it readable
by all. It is a key entry for the module, and should contain a line
HTTP/your.web.server.name@YOUR_REALM
In my case it was:
HTTP/ndscience.org@ND.EDU

Then I created my .htaccess file under /www/ndscience/html/https
directory which looked like:

AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate off
KrbAuthoritative on
KrbVerifyKDC off
KrbAuthRealm ND.EDU
Krb5Keytab /etc/httpd/auth/apache.keytab
KrbSaveCredentials off

<Limit GET POST>
require valid-user
</Limit>


I put the same into /etc/httpd/conf.d/ssl.conf under cgi directory:
<Directory "/www/ndscience/cgi/https">
    AllowOverride Limit AuthConfig Options
    Options ExecCGI
    SSLOptions +StdEnvVars
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate off
    KrbAuthoritative on
    KrbVerifyKDC off
    KrbAuthRealm ND.EDU
    Krb5Keytab /etc/httpd/auth/apache.keytab
    KrbSaveCredentials off
    <Limit GET POST>
    require valid-user
    </Limit>
</Directory>

Then I pointed my Mozilla at https://ndscience.org and 
https://ndscience.org/cgi-bin/test.cgi and authenticated
myself. What a joy!!!

I also wanted to check if I can have a directory where I can
only authorize a few people from ND, namely my team. I created
a directory /www/ndscience/html/https/scf-only and placed there
the following .htaccess file:

AuthType Kerberos
AuthName "Kerberos SCF Login"
KrbMethodNegotiate off
KrbAuthoritative on
KrbVerifyKDC off
KrbAuthRealm ND.EDU
Krb5Keytab /etc/httpd/auth/apache.keytab
KrbSaveCredentials off
 
<Limit GET POST>
require user user1@ND.EDU \
             user2@ND.EDU \
             user3@ND.EDU
</Limit>

I also tested cgi directory -- created /www/ndscience/cgi/https/scf-only, 
placed there some simple script test.cgi and placed the following in the
/etc/httpd/conf.d/ssl.conf:

<Directory "/www/ndscience/cgi/https/scf-only">
    AllowOverride Limit AuthConfig Options
    Options ExecCGI
    SSLOptions +StdEnvVars
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
    AuthType Kerberos
    AuthName "Kerberos SCF Login"
    KrbMethodNegotiate off
    KrbAuthoritative on
    KrbVerifyKDC off
    KrbAuthRealm ND.EDU
    Krb5Keytab /etc/httpd/auth/apache.keytab
    KrbSaveCredentials off
    <Limit GET POST>
    require user user1@ND.EDU \
                 user2@ND.EDU \
                 user3@ND.EDU 
    </Limit>
</Directory>

Restarted Apache:
/etc/rc.d/init.d/httpd restart
killed my browser and opened it again.
And tried... And my wishes were granted... It seems to do what it should do.
I could (or could not, if not on the list of users) get into pages:
   https://ndscience.org/ 
   https://ndscience.org/scf-only 
   https://ndscience.org/cgi-bin/test.cgi 
   https://ndscience.org/cgi-bin/scf-only/test.cgi 
and they showed what they were supposed to. Now I need to put something
useful there.
Modified: Tue Mar 8 06:14:20 2005 GMT
Page accessed 35340 times since Mon Mar 29 03:08:52 2004 GMT