Kerberos/GSSAPI Delegation Support
This patch set adds Kerberos/GSSAPI authentication and delegation support to lighttpd trunk r2393. This allows lighttpd to accept a user's tickets and act on their principal's behalf.
- SPNEGO/Negotiate ticket delegation
- KRB5CCNAME environment propagation (to mod_cgi, mod_proxy_core, etc)
- tested with MIT Kerberos 5 v1.6.3
- multi-homed server principal support
auth.backend = "gssapi" auth.backend.gssapi.principal = "HTTP" auth.backend.gssapi.keytab = "/etc/lighttpd/keytab" auth.require = ( "/" => ( "method" => "gssapi", "realm" => "ATHENA.MIT.EDU", "require" => "valid-user"))
Note: you must enable "Negotiate" authentication and delegation in your browser or client for this to work. For example, Firefox requires two variables be set:
[mod_auth] mod_authn_gssapi Kerberos auth backend (fixes #1899)
module status: experimental; more testing and review needed
Kerberos library calls have been preserved from original patch set
and should be reviewed.
module has been quickly tested with Basic auth (Use over TLS!)
has not been tested. Again, kerberos library calls have
been preserved from original patch set. YMMV. (Use over TLS!)
"Kerberos/GSSAPI Delegation Support"
Updated by presbrey over 9 years ago
Attached is an updated patch additionally supporting authentication by Kerberos password. When enabled, credentials are requested via Basic Authentication supplementing GSSAPI/Negotiate. This option is disabled by default. Please use SSL when accepting authentication credentials! :)
auth.backend.gssapi.passwd = "enable"
$ curl -v https://localhost < HTTP/1.1 401 Unauthorized < WWW-Authenticate: Negotiate < WWW-Authenticate: Basic realm="Kerberos" < Server: lighttpd/1.5.0
This feature is based heavily on Apache mod_auth_kerb's KrbMethodK5Passwd directive. KDC verification against local keytab (KrbVerifyKDC) is ALWAYS performed.
Updated by presbrey about 8 years ago
This feature is completed for lighttpd 1.5 but there aren't yet any 1.5 releases. Here's how to patch and install your own lighttpd 1.5:
$ svn co svn://svn.lighttpd.net/lighttpd/trunk U trunk Checked out revision 2769. $ cd trunk $ wget http://redmine.lighttpd.net/attachments/download/963/lighty-gssapi-r2505.patch $ patch -p1 < lighty-gssapi-r2505.patch patching file src/http_auth.c Hunk #2 succeeded at 1248 (offset 8 lines). patching file src/http_auth.h patching file src/keyvalue.h patching file src/mod_auth.c $ ./autogen.sh $ ./configure $ make install
Updated by GrayTShirt about 5 years ago
I updated this patch to work with 1.4.32. I've been testing in my Gentoo Overlay
Updated by stbuehler about 5 years ago
- Missing in 1.5.x set to No
white-space changes, changed configure option name, C99 comments (//), mixed tabs/spaces for indent in c source - not good to get stuff merged.
But the main problem is that I don't like adding another 1000 lines to mod_auth; I'd be more open to add a new module instead (LDAP should have been put in a separate module too).
Updated by gstrauss over 2 years ago
Dan (@GrayTShirt): I took a look at https://github.com/GrayTShirt/phoenix-overlay/tree/master/www-servers/lighttpd/files/
A couple of those patches have been (at least partially) fixed in lighttpd.
The Kerberos/GSSAPI delegation support needs to be reworked to be a separate module from mod_auth (e.g. mod_auth_gssapi to more closely match the directive names). However, some infrastructure work needs to be done in lighttpd to have modules register themselves with mod_auth. Would you be willing to work on that with me?
Also available in: Atom