Apache gss/SPNEGO authentication module



This module is contained in the mod_auth_gss_krb5.c file for Apache 1.3.26, and is not compiled by default. Installation instructions are discussed here. Support This Project

The most current version of mod_auth_gss_krb5.c can be found at:

  http://prdownloads.sourceforge.net/modgssapache/

This is a module based on Ludek Sulaks and Daniel Kourils Kerberos authentication module "Using Kerberos for WWW Authentication". It uses Microsofts example code from SPNEGO Token Handler API. The Browser setup is described at HTTP-Based Cross-Platform Authentication via the Negotiate Protocol.

Author

Please contact M Möller <markus_moeller at compuserve.com> with any questions, concerns, or suggestions regarding this module.




Installation

To install mod_auth_gss_krb5.c, follow these instructions. After unpacking the tarball, run the configure script:

CFLAGS="-g" \
LDFLAGS="-g" \
INCLUDES="-I/usr/kerberos/include" \
OPTIM="-O2 -march=i586 -mcpu=i686 -fmessage-length=0 \$(OPTIM_ARCH) -DEAPI_MM -fPIC -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DHARD_SERVER_LIMIT=2048 -DDYNAMIC_MODULE_LIMIT=128 " \
LIBS="-L/usr/X11R6/lib/ -lmm -Wl,-R/usr/kerberos/lib `pwd`/spnegohelp/libspnegohelp.a -L/usr/kerberos/lib -lgssapi_krb5 -ldes425 -lkrb5 -lk5crypto -lcom_err" \
SSL_BASE="SYSTEM" \
./configure \
"--with-layout=Apache" \
"--prefix=/srv/www" \
"--bindir=/usr/bin" \
"--sbindir=/usr/sbin" \
"--datadir=/srv/www" \
"--sysconfdir=/etc/httpd" \
"--mandir=/usr/share/man" \
"--logfiledir=/var/log/httpd" \
"--localstatedir=/var/lib" \
"--runtimedir=/var/run" \
"--libexecdir=/usr/lib/apache" \
"--proxycachedir=/var/cache/http" \
"--includedir=/usr/include/apache" \
"--enable-module=all" \
"--disable-module=example" \
"--enable-module=ssl" \
"--enable-shared=max" \
"--with-perl=/usr/bin/perl" \
"--disable-rule=WANTHSREGEX" \
"--enable-rule=EAPI" \
"--server-uid=wwwrun" \
"--server-gid=nogroup" \
"--enable-suexec" \
"--suexec-caller=wwwrun" \
"--suexec-userdir=public_html" \
"--suexec-uidmin=96" \
"--suexec-gidmin=96" \
"--suexec-safepath=/bin:/usr/bin" \
"--suexec-logfile=/var/log/httpd/suexec.log" \
"--without-confadjust" \
"--activate-module=src/modules/extra/mod_auth_gss_krb5.c"

or use axps for dynamic library /usr/sbin/apxs -i -a -c -DEAPI_MM -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/kerberos/include -L/usr/kerberos/lib -L/usr/lib -Wl,-R/usr/kerberos/lib -Wl,-R/usr/lib -lspnegohelp -lgssapi_krb5 -ldes425 -lkrb5 -lk5crypto -lcom_err mod_auth_gss_krb5.c

The httpd.conf should contain something like:

.
.
.
AddModule mod_auth_gss_krb5.c
#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/srv/www/htdocs">

           GssKrb5Keytab "/etc/httpd/HTTP.keytab"
           Krb5Keytab "/etc/httpd/HTTP.keytab"
           KrbAuthRealm REALM
           Krb5SaveCredentials Off
#          AuthType KerberosV5
           AuthType GSS
           GssAuth On
           AuthName "KRB5 Realm"
           require valid-user

.
.
.

with HTTP.keytab containing a service key HTTP/hostname@REALM (readable by apache run user .e.g. wwwrun)

It was tested with IE 6.0 on Windows XP, Apache 1.3.26 on Suse Linux 8.x, MIT Kerberos 1.2.4 and Windows 2000 kdc.


Known issues:



> From: Nebergall, Christopher 
> Sent: Wednesday, March 19, 2003 1:24 PM
> To: krbdev@mit.edu
> Subject: MS SPNEGO Replay Detection
>
> I've been testing SPNEGO tokens sent by Internet Explorer and the token's
> internal Kerberos gss_init_sec_context token sent by IE are occasionally
> being seen as a replay by MIT Kerberos.  This normally only occurs when I
> try to load a page in apache with several images and I frequently reload
> the page.
>
> Here is some sample data from the krb5_authenticator structure that came
> in the Microsoft Kerberos gss-init-sec-context token.
>
> cusec 704858, ctime 1048017875, seq_number 426449224
> *cusec 814233, ctime 1048017875, seq_number 411358733
> *cusec 814233, ctime 1048017875, seq_number 411448245
> cusec 829858, ctime 1048017875, seq_number 411151750
> cusec 907983, ctime 1048017875, seq_number 414548316
> cusec 532983, ctime 1048017879, seq_number 450799590
> cusec 579858, ctime 1048017879, seq_number 449175263
> cusec 595483, ctime 1048017879, seq_number 449262226
> cusec 642358, ctime 1048017879, seq_number 449642092
> cusec 657983, ctime 1048017879, seq_number 449731565
> cusec 767358, ctime 1048017879, seq_number 452922215
> *cusec 829858, ctime 1048017879, seq_number 450993440
> cusec 845483, ctime 1048017879, seq_number 451762662
> *cusec 829858, ctime 1048017879, seq_number 451149585
>
> The cusec times with an asterisk have identical cusec and ctime fields,
> and are seen as a replay by MIT Kerberos, but are not actually replays,
> because the sequence numbers are different. MIT Kerberos seems to start
> seq_numbers at zero, but MS starts at some arbitrary value. Does
> Microsoft implement replay detection differently than MIT Kerberos? If
> so, which is the correct way?
>
> Thanks,
> Christopher Nebergall
>
****************************************************************************
***************************************************************

From: Sam Hartman [hartmans@mit.edu]
cc: krbdev@mit.edu
Re: MS SPNEGO Replay Detection

>>>>> "Nebergall," == Nebergall, Christopher <cneberg@sandia.gov> writes:

Nebergall,> I've been testing SPNEGO tokens sent by Internet
Nebergall,> Explorer and the token's internal Kerberos
Nebergall,> gss_init_sec_context token sent by IE are occasionally
Nebergall,> being seen as a replay by MIT Kerberos. This normally

Nebergall,> only occurs when I try to load a page in apache with
Nebergall,> several images and I frequently reload the page.

This is a known bug in the Microsoft implementation.





© Copyright 2003-2004 M Möller
All Rights Reserved





SourceForge.net Logo