Mod_auth_kerb Apache

Posted by Unknown on Tuesday, January 11, 2011

Mod_auth_kerb is an Apache module designed to provide Kerberos authentication to the Apache web server. Using the Basic Auth mechanism, it retrieves a username/password pair from the browser and checks them against a Kerberos server as set up by your particular organization. The module also supports the Negotiate authentication method, which performs full Kerberos authentication based on ticket exchanges, and does not require users to insert their passwords to the browser. In order to use the Negotiate method you need a browser supporting it (currently standard IE6.0 or Mozilla with the negotiateauth extension).

The module supports both kerberos4 and kerberos5 protocols for password verification. The Negotiate mechanism can be only used with Kerberos v5. The module supports both 1.x and 2.x versions of Apache.


This page describes configuration of module version 5.0. Configuration guide for the older module 4.x can be found here.

Before starting configuring the module make sure your Kerberos enviroment is properly configured (i.e. KDC, /etc/krb5.conf, etc.). The easiest way to check is using the kinit command from the apache machine to get a ticket for some known principal (preferably that one who will be used to test the module).

Now you have to create an service key for the module, which is needed to perform client authentication. Verification of the kerberos password has two steps. In the first one the KDC is contacted using the password trying to receive a ticket for the client. After this ticket is sucessfuly acquired, the module must also verify that KDC hasn't been deliberately faked and the ticket just received can be trusted. If this check would haven't been done any attacker capable of spoofing the KDC could impersonate any principal registered with the KDC. In order to do this check the apache module must verify that the KDC knows its service key, which the apache shares with the KDC. This service key must be created during configuration the module. This service key is also needed when the Negotiate method is used. In this case the module acts as a standard kerberos service (similarly to e.g. kerberized ssh or ftp servers). Default name of the service key is HTTP/@REALM, another name of the first instance can be set using the KrbServiceName option. The key must be stored in a keytab on a local disk, the Krb5Keytab and Krb4Srvtab options are used to specify the filename with the keytab. This file should be only readable for the apache process and contain only the key used for www authentication.

In order to get the module loaded on start of apache add following line to your httpd.conf:

LoadModule auth_kerb_module libexec/

Summary of Supported Directives
AuthType type

For Kerberos authentication to work, AuthType must be set to



For the reasons of backwards compatibility the values KerberosV4 and KerberosV5 are also supported. Their use is not recommended though, for finer setting use following three options.

KrbMethodNegotiate on | off

(set to on by default)

To enable or disable the use of the Negotiate method. You need a special support on the browser side to support this mechanism.

KrbMethodK5Passwd on | off

(set to on by default)

To enable or disable the use of password based authentication for Kerberos v5.

KrbMethodK4Passwd on | off

(set to on by default)

To enable or disable the use of password based authentication for Kerberos v4.

KrbAuthoritative on | off

(set to on by default)

If set to off this directive allow authentication controls to be pass on to another modules. Use only if you really know what you are doing.

KrbAuthRealms realm1 [realm2 ... realmN]

This option takes one or more arguments (separated by spaces), specifying the Kerberos realm(s) to be used for authentication. This defaults to the default realm taken from the local Kerberos configuration.

KrbVerifyKDC on | off

(set to on by default)

This option can be used to disable the verification tickets against local keytab to prevent KDC spoofing atacks. It should be used only for testing purposes. You have been warned.

KrbServiceName service

(set to HTTP by default)

For specification the service name that will be used by Apache for authentication. Corresponding key of this name must be stored in the keytab.

Krb4Srvtab /path/to/srvtab

This option takes one argument, specifying the path to the Kerberos V4 srvtab. It will simply use the "default srvtab" from Kerberos V4's configuration if this option is not specified. The srvtab must be readable for the apache process, and should be different from srvtabs containing keys for other services.

More Here


{ 0 comments... read them below or add one }

Post a Comment