This module is contained in the mod_auth_gss_krb5.c
file for Apache 1.3.26, and is not compiled by default. Installation
instructions are discussed here.
The most current version of mod_auth_gss_krb5.c
can
be found at:
http://prdownloads.sourceforge.net/modgssapache/
This is a module based on Ludek Sulaks and Daniel Kourils Kerberos authentication module "Using Kerberos for WWW Authentication". It uses Microsofts example code from SPNEGO Token Handler API. The Browser setup is described at HTTP-Based Cross-Platform Authentication via the Negotiate Protocol.
Please contact M Möller <markus_moeller at compuserve.com> with any questions, concerns, or suggestions regarding this module.
To install mod_auth_gss_krb5.c
, follow these
instructions. After unpacking the tarball, run the configure
script:
CFLAGS="-g" \
LDFLAGS="-g" \
INCLUDES="-I/usr/kerberos/include" \
OPTIM="-O2
-march=i586 -mcpu=i686 -fmessage-length=0 \$(OPTIM_ARCH) -DEAPI_MM
-fPIC -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-DHARD_SERVER_LIMIT=2048 -DDYNAMIC_MODULE_LIMIT=128 " \
LIBS="-L/usr/X11R6/lib/ -lmm -Wl,-R/usr/kerberos/lib
`pwd`/spnegohelp/libspnegohelp.a -L/usr/kerberos/lib -lgssapi_krb5
-ldes425 -lkrb5 -lk5crypto -lcom_err" \
SSL_BASE="SYSTEM"
\
./configure \
"--with-layout=Apache" \
"--prefix=/srv/www" \
"--bindir=/usr/bin"
\
"--sbindir=/usr/sbin" \
"--datadir=/srv/www"
\
"--sysconfdir=/etc/httpd" \
"--mandir=/usr/share/man" \
"--logfiledir=/var/log/httpd" \
"--localstatedir=/var/lib" \
"--runtimedir=/var/run"
\
"--libexecdir=/usr/lib/apache" \
"--proxycachedir=/var/cache/http" \
"--includedir=/usr/include/apache" \
"--enable-module=all" \
"--disable-module=example"
\
"--enable-module=ssl" \
"--enable-shared=max"
\
"--with-perl=/usr/bin/perl" \
"--disable-rule=WANTHSREGEX" \
"--enable-rule=EAPI"
\
"--server-uid=wwwrun" \
"--server-gid=nogroup"
\
"--enable-suexec" \
"--suexec-caller=wwwrun"
\
"--suexec-userdir=public_html" \
"--suexec-uidmin=96" \
"--suexec-gidmin=96"
\
"--suexec-safepath=/bin:/usr/bin" \
"--suexec-logfile=/var/log/httpd/suexec.log" \
"--without-confadjust" \
"--activate-module=src/modules/extra/mod_auth_gss_krb5.c"
or use axps for dynamic library /usr/sbin/apxs -i -a -c -DEAPI_MM -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/kerberos/include -L/usr/kerberos/lib -L/usr/lib -Wl,-R/usr/kerberos/lib -Wl,-R/usr/lib -lspnegohelp -lgssapi_krb5 -ldes425 -lkrb5 -lk5crypto -lcom_err mod_auth_gss_krb5.c
The httpd.conf should contain something like:
. . . AddModule mod_auth_gss_krb5.c # # This should be changed to whatever you set DocumentRoot to. # <Directory "/srv/www/htdocs"> GssKrb5Keytab "/etc/httpd/HTTP.keytab" Krb5Keytab "/etc/httpd/HTTP.keytab" KrbAuthRealm REALM Krb5SaveCredentials Off # AuthType KerberosV5 AuthType GSS GssAuth On AuthName "KRB5 Realm" require valid-user . . .
with HTTP.keytab containing a service key HTTP/hostname@REALM (readable by apache run user .e.g. wwwrun)
It was tested with IE 6.0 on Windows XP, Apache 1.3.26 on Suse Linux 8.x, MIT Kerberos 1.2.4 and Windows 2000 kdc.
Known issues:
> From: Nebergall, Christopher
> Sent: Wednesday, March 19, 2003 1:24 PM
> To:
krbdev@mit.edu
> Subject:
MS SPNEGO Replay Detection
>
> I've been testing SPNEGO
tokens sent by Internet Explorer and the token's
> internal
Kerberos gss_init_sec_context token sent by IE are occasionally
>
being seen as a replay by MIT Kerberos. This normally only
occurs when I
> try to load a page in apache with several
images and I frequently reload
> the page.
>
>
Here is some sample data from the krb5_authenticator structure that
came
> in the Microsoft Kerberos gss-init-sec-context token.
>
> cusec 704858, ctime 1048017875, seq_number 426449224
>
*cusec 814233, ctime 1048017875, seq_number 411358733
> *cusec
814233, ctime 1048017875, seq_number 411448245
> cusec 829858,
ctime 1048017875, seq_number 411151750
> cusec 907983, ctime
1048017875, seq_number 414548316
> cusec 532983, ctime
1048017879, seq_number 450799590
> cusec 579858, ctime
1048017879, seq_number 449175263
> cusec 595483, ctime
1048017879, seq_number 449262226
> cusec 642358, ctime
1048017879, seq_number 449642092
> cusec 657983, ctime
1048017879, seq_number 449731565
> cusec 767358, ctime
1048017879, seq_number 452922215
> *cusec 829858, ctime
1048017879, seq_number 450993440
> cusec 845483, ctime
1048017879, seq_number 451762662
> *cusec 829858, ctime
1048017879, seq_number 451149585
>
> The cusec times
with an asterisk have identical cusec and ctime fields,
> and
are seen as a replay by MIT Kerberos, but are not actually replays,
>
because the sequence numbers are different. MIT Kerberos seems to
start
> seq_numbers at zero, but MS starts at some arbitrary
value. Does
> Microsoft implement replay detection differently
than MIT Kerberos? If
> so, which is the correct way?
>
> Thanks,
> Christopher Nebergall
>
****************************************************************************
***************************************************************
From:
Sam Hartman [hartmans@mit.edu]
cc: krbdev@mit.edu
Re:
MS SPNEGO Replay Detection
>>>>> "Nebergall,"
== Nebergall, Christopher <cneberg@sandia.gov>
writes:
Nebergall,> I've been testing SPNEGO tokens
sent by Internet
Nebergall,> Explorer and the token's
internal Kerberos
Nebergall,> gss_init_sec_context token
sent by IE are occasionally
Nebergall,> being seen as a
replay by MIT Kerberos. This normally
Nebergall,> only occurs when I
try to load a page in apache with
Nebergall,> several
images and I frequently reload the page.
This is a known bug
in the Microsoft implementation.
© Copyright
2003-2004 M Möller
All Rights Reserved