The module supports both kerberos4 and kerberos5 protocols for password verification. The Negotiate mechanism can be only used with Kerberos v5. The module supports both 1.x and 2.x versions of Apache.
Configuration
This page describes configuration of module version 5.0. Configuration guide for the older module 4.x can be found here.
Before starting configuring the module make sure your Kerberos enviroment is properly configured (i.e. KDC, /etc/krb5.conf, etc.). The easiest way to check is using the kinit command from the apache machine to get a ticket for some known principal (preferably that one who will be used to test the module).
Now you have to create an service key for the module, which is needed to perform client authentication. Verification of the kerberos password has two steps. In the first one the KDC is contacted using the password trying to receive a ticket for the client. After this ticket is sucessfuly acquired, the module must also verify that KDC hasn't been deliberately faked and the ticket just received can be trusted. If this check would haven't been done any attacker capable of spoofing the KDC could impersonate any principal registered with the KDC. In order to do this check the apache module must verify that the KDC knows its service key, which the apache shares with the KDC. This service key must be created during configuration the module. This service key is also needed when the Negotiate method is used. In this case the module acts as a standard kerberos service (similarly to e.g. kerberized ssh or ftp servers). Default name of the service key is HTTP/
In order to get the module loaded on start of apache add following line to your httpd.conf:
LoadModule auth_kerb_module libexec/mod_auth_kerb.so
Summary of Supported Directives
AuthType type
For Kerberos authentication to work, AuthType must be set to
*
Kerberos
For the reasons of backwards compatibility the values KerberosV4 and KerberosV5 are also supported. Their use is not recommended though, for finer setting use following three options.
KrbMethodNegotiate on | off
(set to on by default)
To enable or disable the use of the Negotiate method. You need a special support on the browser side to support this mechanism.
KrbMethodK5Passwd on | off
(set to on by default)
To enable or disable the use of password based authentication for Kerberos v5.
KrbMethodK4Passwd on | off
(set to on by default)
To enable or disable the use of password based authentication for Kerberos v4.
KrbAuthoritative on | off
(set to on by default)
If set to off this directive allow authentication controls to be pass on to another modules. Use only if you really know what you are doing.
KrbAuthRealms realm1 [realm2 ... realmN]
This option takes one or more arguments (separated by spaces), specifying the Kerberos realm(s) to be used for authentication. This defaults to the default realm taken from the local Kerberos configuration.
KrbVerifyKDC on | off
(set to on by default)
This option can be used to disable the verification tickets against local keytab to prevent KDC spoofing atacks. It should be used only for testing purposes. You have been warned.
KrbServiceName service
(set to HTTP by default)
For specification the service name that will be used by Apache for authentication. Corresponding key of this name must be stored in the keytab.
Krb4Srvtab /path/to/srvtab
This option takes one argument, specifying the path to the Kerberos V4 srvtab. It will simply use the "default srvtab" from Kerberos V4's configuration if this option is not specified. The srvtab must be readable for the apache process, and should be different from srvtabs containing keys for other services.
More Here
Courtesy:http://modauthkerb.sourceforge.net/configure.html
{ 0 comments... read them below or add one }
Post a Comment