Project

General

Profile

Actions

Feature #1899

closed

Kerberos/GSSAPI Delegation Support

Added by presbrey about 15 years ago. Updated over 7 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_auth
Target version:
ASK QUESTIONS IN Forums:

Description

This patch set adds Kerberos/GSSAPI authentication and delegation support to lighttpd trunk r2393. This allows lighttpd to accept a user's tickets and act on their principal's behalf.

Features:

  • SPNEGO/Negotiate ticket delegation
  • KRB5CCNAME environment propagation (to mod_cgi, mod_proxy_core, etc)
  • tested with MIT Kerberos 5 v1.6.3
  • multi-homed server principal support

Example Configuration:

auth.backend = "gssapi" 
auth.backend.gssapi.principal = "HTTP" 
auth.backend.gssapi.keytab = "/etc/lighttpd/keytab" 
auth.require = ( "/" => ( "method" => "gssapi", "realm" => "ATHENA.MIT.EDU", "require" => "valid-user"))

Note: you must enable "Negotiate" authentication and delegation in your browser or client for this to work. For example, Firefox requires two variables be set: network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.


Files

lighty-gssapi-1.5_presbrey.patch (17.2 KB) lighty-gssapi-1.5_presbrey.patch Main GSSAPI patch presbrey, 2009-02-12 23:35
lighty-fixes-1.5_presbrey.patch (1.14 KB) lighty-fixes-1.5_presbrey.patch Misc fixes to trunk presbrey, 2009-02-12 23:35
lighty-gssapi-r2476.patch (28.4 KB) lighty-gssapi-r2476.patch presbrey, 2009-04-27 14:47
lighty-gssapi-r2505.patch (28.9 KB) lighty-gssapi-r2505.patch presbrey, 2009-07-14 14:54
Actions #1

Updated by presbrey almost 15 years ago

Attached is an updated patch additionally supporting authentication by Kerberos password. When enabled, credentials are requested via Basic Authentication supplementing GSSAPI/Negotiate. This option is disabled by default. Please use SSL when accepting authentication credentials! :)

Example:

auth.backend.gssapi.passwd = "enable"

Output:

$ curl -v https://localhost
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Kerberos" 
< Server: lighttpd/1.5.0

Other Notes

This feature is based heavily on Apache mod_auth_kerb's KrbMethodK5Passwd directive. KDC verification against local keytab (KrbVerifyKDC) is ALWAYS performed.

Actions #2

Updated by presbrey over 14 years ago

Attached patch to r2505, tested compatible through latest trunk (r2585).

Actions #3

Updated by Clicky over 13 years ago

Any progress on this? This says that 100% of the work has been done (for more than a year!). And yet, I could not find that auth module in a single release so far. :(

Actions #4

Updated by presbrey over 13 years ago

This feature is completed for lighttpd 1.5 but there aren't yet any 1.5 releases. Here's how to patch and install your own lighttpd 1.5:

$ svn co svn://svn.lighttpd.net/lighttpd/trunk
 U   trunk
Checked out revision 2769.
$ cd trunk
$ wget http://redmine.lighttpd.net/attachments/download/963/lighty-gssapi-r2505.patch
$ patch -p1 < lighty-gssapi-r2505.patch 
patching file src/http_auth.c
Hunk #2 succeeded at 1248 (offset 8 lines).
patching file src/http_auth.h
patching file src/keyvalue.h
patching file src/mod_auth.c
$ ./autogen.sh
$ ./configure
$ make install
Actions #5

Updated by GrayTShirt over 10 years ago

I updated this patch to work with 1.4.32. I've been testing in my Gentoo Overlay
https://raw.github.com/GrayTShirt/phoenix-overlay/master/www-servers/lighttpd/files/lighttpd-1.4.32-gssapi.patch

Actions #6

Updated by stbuehler over 10 years ago

  • Missing in 1.5.x set to No

white-space changes, changed configure option name, C99 comments (//), mixed tabs/spaces for indent in c source - not good to get stuff merged.

But the main problem is that I don't like adding another 1000 lines to mod_auth; I'd be more open to add a new module instead (LDAP should have been put in a separate module too).

Actions #7

Updated by GrayTShirt over 10 years ago

Thanks for the feedback. I'll clean it up and see what I can do about splitting ldap and kerb into their own modules.

Actions #8

Updated by stbuehler over 10 years ago

Don't split ldap... too late for that now :) 1.4.x is the stable series; adding a new module shouldn't break anything, but splitting a module would be a bad idea.

Actions #9

Updated by GrayTShirt over 10 years ago

Hmmm, point taken, I won't split ldap.

Actions #10

Updated by gstrauss over 7 years ago

Dan (@GrayTShirt): I took a look at https://github.com/GrayTShirt/phoenix-overlay/tree/master/www-servers/lighttpd/files/
A couple of those patches have been (at least partially) fixed in lighttpd.

The Kerberos/GSSAPI delegation support needs to be reworked to be a separate module from mod_auth (e.g. mod_auth_gssapi to more closely match the directive names). However, some infrastructure work needs to be done in lighttpd to have modules register themselves with mod_auth. Would you be willing to work on that with me?

Actions #11

Updated by gstrauss over 7 years ago

4b3a91e6 creates an extensible interface for auth backends, so mod_authn_gssapi.c should now be more straightforward to write.

Actions #12

Updated by gstrauss over 7 years ago

  • Status changed from New to Patch Pending
  • Target version set to 1.4.42

Note: mod_authn_gssapi is experimental and needs further review and testing. YMMV.

Actions #13

Updated by gstrauss over 7 years ago

  • Status changed from Patch Pending to Fixed
Actions

Also available in: Atom