[Solved] Resort to username and password after Kerberos failure

I am trying to determine if lighttpd can resort to prompting for a username and password if the client browser does not provide a valid Kerberos credential. I found a proposed patch (lighty-gssapi-r2476.patch) in issue #1899 [1], but I do not see any evidence that it was merged or maintained. I also found some discussion about this topic surrounding Apache's modauthgssapi [2,3].

Does lighttpd support such a configuration? I am interested in configuring my web server to support Kerberos single sign on from the LAN but still allow username/password authentication from the Internet. My installation now supports Kerberos, but it immediately responds to browsers which cannot provide a valid Kerberos credential with a 401/unauthorized error.

[1] https://redmine.lighttpd.net/issues/1899
[2] https://github.com/modauthgssapi/mod_auth_gssapi/issues/8
[3] https://github.com/modauthgssapi/mod_auth_gssapi/issues/9

Replies (2)

RE: Resort to username and password after Kerberos failure - Added by gstrauss almost 6 years ago

My installation now supports Kerberos, but it immediately responds to browsers which cannot provide a valid Kerberos credential with a 401/unauthorized error.

You might be able to use $REQUEST_HEADER["..."] to configure auth to require Kerberos or to require username/password based on what the client sends.

Even better in your case would be if you configured Kerberos auth for anything originating on your LAN, and configured username/password auth (preferably HTTP Digest auth) for requests originating from other networks. See Docs_Configuration and $HTTP["remoteip"]

RE: [Solved] Resort to username and password after Kerberos failure - Added by flyn almost 6 years ago

Thank you for the suggestion.

The configuration I found works is:

server.modules += ( "mod_auth" )

$HTTP["remoteip"] == "192.168.1.128/25" {
        auth.backend = "gssapi" 
        auth.backend.gssapi.keytab = "/etc/lighttpd/keytab" 
        auth.backend.gssapi.principal = "HTTP/www.example.com@EXAMPLE.COM" 

        auth.require = (
                "/path" => (
                        "method" => "gssapi",
                        "realm" => "EXAMPLE.COM",
                        "require" => "valid-user" 
                )
        )
} else $HTTP["remoteip"] != "" { # Wildcard.
        auth.backend = "htpasswd" 
        auth.backend.htpasswd.userfile = "/etc/lighttpd/htpasswd" 

        auth.require = (
                "/path" => (
                        "method" => "basic",
                        "realm" => "example.com Application",
                        "require" => "valid-user" 
                )
        )
}

(1-2/2)

Project

General

Profile

Lighttpd