Project

General

Profile

Feature #1899

Kerberos/GSSAPI Delegation Support

Added by presbrey about 8 years ago. Updated 7 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_auth
Target version:
Start date:
2009-02-12
Due date:
% Done:

100%

Missing in 1.5.x:
No

Description

This patch set adds Kerberos/GSSAPI authentication and delegation support to lighttpd trunk r2393. This allows lighttpd to accept a user's tickets and act on their principal's behalf.

Features:

  • SPNEGO/Negotiate ticket delegation
  • KRB5CCNAME environment propagation (to mod_cgi, mod_proxy_core, etc)
  • tested with MIT Kerberos 5 v1.6.3
  • multi-homed server principal support

Example Configuration:

auth.backend = "gssapi" 
auth.backend.gssapi.principal = "HTTP" 
auth.backend.gssapi.keytab = "/etc/lighttpd/keytab" 
auth.require = ( "/" => ( "method" => "gssapi", "realm" => "ATHENA.MIT.EDU", "require" => "valid-user"))

Note: you must enable "Negotiate" authentication and delegation in your browser or client for this to work. For example, Firefox requires two variables be set: network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.

lighty-gssapi-1.5_presbrey.patch View - Main GSSAPI patch (17.2 KB) presbrey, 2009-02-12 23:35

lighty-fixes-1.5_presbrey.patch View - Misc fixes to trunk (1.14 KB) presbrey, 2009-02-12 23:35

lighty-gssapi-r2476.patch View (28.4 KB) presbrey, 2009-04-27 14:47

lighty-gssapi-r2505.patch View (28.9 KB) presbrey, 2009-07-14 14:54

Associated revisions

Revision 1c1a6378 (diff)
Added by gstrauss 7 months ago

[mod_auth] mod_authn_gssapi Kerberos auth backend (fixes #1899)

module status: experimental; more testing and review needed

Kerberos library calls have been preserved from original patch set
and should be reviewed.

module has been quickly tested with Basic auth (Use over TLS!)

SPNEGO has not been tested. Again, kerberos library calls have
been preserved from original patch set. YMMV. (Use over TLS!)

x-ref:
"Kerberos/GSSAPI Delegation Support"
https://redmine.lighttpd.net/issues/1899

History

#1 Updated by presbrey almost 8 years ago

Attached is an updated patch additionally supporting authentication by Kerberos password. When enabled, credentials are requested via Basic Authentication supplementing GSSAPI/Negotiate. This option is disabled by default. Please use SSL when accepting authentication credentials! :)

Example:

auth.backend.gssapi.passwd = "enable"

Output:

$ curl -v https://localhost
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Kerberos" 
< Server: lighttpd/1.5.0

Other Notes

This feature is based heavily on Apache mod_auth_kerb's KrbMethodK5Passwd directive. KDC verification against local keytab (KrbVerifyKDC) is ALWAYS performed.

#2 Updated by presbrey almost 8 years ago

Attached patch to r2505, tested compatible through latest trunk (r2585).

#3 Updated by Clicky over 6 years ago

Any progress on this? This says that 100% of the work has been done (for more than a year!). And yet, I could not find that auth module in a single release so far. :(

#4 Updated by presbrey over 6 years ago

This feature is completed for lighttpd 1.5 but there aren't yet any 1.5 releases. Here's how to patch and install your own lighttpd 1.5:

$ svn co svn://svn.lighttpd.net/lighttpd/trunk
 U   trunk
Checked out revision 2769.
$ cd trunk
$ wget http://redmine.lighttpd.net/attachments/download/963/lighty-gssapi-r2505.patch
$ patch -p1 < lighty-gssapi-r2505.patch 
patching file src/http_auth.c
Hunk #2 succeeded at 1248 (offset 8 lines).
patching file src/http_auth.h
patching file src/keyvalue.h
patching file src/mod_auth.c
$ ./autogen.sh
$ ./configure
$ make install

#5 Updated by GrayTShirt over 3 years ago

I updated this patch to work with 1.4.32. I've been testing in my Gentoo Overlay
https://raw.github.com/GrayTShirt/phoenix-overlay/master/www-servers/lighttpd/files/lighttpd-1.4.32-gssapi.patch

#6 Updated by stbuehler over 3 years ago

  • Missing in 1.5.x set to No

white-space changes, changed configure option name, C99 comments (//), mixed tabs/spaces for indent in c source - not good to get stuff merged.

But the main problem is that I don't like adding another 1000 lines to mod_auth; I'd be more open to add a new module instead (LDAP should have been put in a separate module too).

#7 Updated by GrayTShirt over 3 years ago

Thanks for the feedback. I'll clean it up and see what I can do about splitting ldap and kerb into their own modules.

#8 Updated by stbuehler over 3 years ago

Don't split ldap... too late for that now :) 1.4.x is the stable series; adding a new module shouldn't break anything, but splitting a module would be a bad idea.

#9 Updated by GrayTShirt over 3 years ago

Hmmm, point taken, I won't split ldap.

#10 Updated by gstrauss 10 months ago

Dan (@GrayTShirt): I took a look at https://github.com/GrayTShirt/phoenix-overlay/tree/master/www-servers/lighttpd/files/
A couple of those patches have been (at least partially) fixed in lighttpd.

The Kerberos/GSSAPI delegation support needs to be reworked to be a separate module from mod_auth (e.g. mod_auth_gssapi to more closely match the directive names). However, some infrastructure work needs to be done in lighttpd to have modules register themselves with mod_auth. Would you be willing to work on that with me?

#11 Updated by gstrauss 8 months ago

4b3a91e6 creates an extensible interface for auth backends, so mod_authn_gssapi.c should now be more straightforward to write.

#12 Updated by gstrauss 7 months ago

  • Status changed from New to Patch Pending
  • Target version set to 1.4.42

Note: mod_authn_gssapi is experimental and needs further review and testing. YMMV.

#13 Updated by gstrauss 7 months ago

  • Status changed from Patch Pending to Fixed

Also available in: Atom