Feature #1899


Kerberos/GSSAPI Delegation Support

Added by presbrey over 15 years ago. Updated almost 8 years ago.

Target version:


This patch set adds Kerberos/GSSAPI authentication and delegation support to lighttpd trunk r2393. This allows lighttpd to accept a user's tickets and act on their principal's behalf.


  • SPNEGO/Negotiate ticket delegation
  • KRB5CCNAME environment propagation (to mod_cgi, mod_proxy_core, etc)
  • tested with MIT Kerberos 5 v1.6.3
  • multi-homed server principal support

Example Configuration:

auth.backend = "gssapi" 
auth.backend.gssapi.principal = "HTTP" 
auth.backend.gssapi.keytab = "/etc/lighttpd/keytab" 
auth.require = ( "/" => ( "method" => "gssapi", "realm" => "ATHENA.MIT.EDU", "require" => "valid-user"))

Note: you must enable "Negotiate" authentication and delegation in your browser or client for this to work. For example, Firefox requires two variables be set: network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.


lighty-gssapi-1.5_presbrey.patch (17.2 KB) lighty-gssapi-1.5_presbrey.patch Main GSSAPI patch presbrey, 2009-02-12 23:35
lighty-fixes-1.5_presbrey.patch (1.14 KB) lighty-fixes-1.5_presbrey.patch Misc fixes to trunk presbrey, 2009-02-12 23:35
lighty-gssapi-r2476.patch (28.4 KB) lighty-gssapi-r2476.patch presbrey, 2009-04-27 14:47
lighty-gssapi-r2505.patch (28.9 KB) lighty-gssapi-r2505.patch presbrey, 2009-07-14 14:54
Actions #1

Updated by presbrey about 15 years ago

Attached is an updated patch additionally supporting authentication by Kerberos password. When enabled, credentials are requested via Basic Authentication supplementing GSSAPI/Negotiate. This option is disabled by default. Please use SSL when accepting authentication credentials! :)


auth.backend.gssapi.passwd = "enable"


$ curl -v https://localhost
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Kerberos" 
< Server: lighttpd/1.5.0

Other Notes

This feature is based heavily on Apache mod_auth_kerb's KrbMethodK5Passwd directive. KDC verification against local keytab (KrbVerifyKDC) is ALWAYS performed.

Actions #2

Updated by presbrey about 15 years ago

Attached patch to r2505, tested compatible through latest trunk (r2585).

Actions #3

Updated by Clicky almost 14 years ago

Any progress on this? This says that 100% of the work has been done (for more than a year!). And yet, I could not find that auth module in a single release so far. :(

Actions #4

Updated by presbrey almost 14 years ago

This feature is completed for lighttpd 1.5 but there aren't yet any 1.5 releases. Here's how to patch and install your own lighttpd 1.5:

$ svn co svn://
 U   trunk
Checked out revision 2769.
$ cd trunk
$ wget
$ patch -p1 < lighty-gssapi-r2505.patch 
patching file src/http_auth.c
Hunk #2 succeeded at 1248 (offset 8 lines).
patching file src/http_auth.h
patching file src/keyvalue.h
patching file src/mod_auth.c
$ ./
$ ./configure
$ make install
Actions #5

Updated by GrayTShirt almost 11 years ago

I updated this patch to work with 1.4.32. I've been testing in my Gentoo Overlay

Actions #6

Updated by stbuehler almost 11 years ago

  • Missing in 1.5.x set to No

white-space changes, changed configure option name, C99 comments (//), mixed tabs/spaces for indent in c source - not good to get stuff merged.

But the main problem is that I don't like adding another 1000 lines to mod_auth; I'd be more open to add a new module instead (LDAP should have been put in a separate module too).

Actions #7

Updated by GrayTShirt almost 11 years ago

Thanks for the feedback. I'll clean it up and see what I can do about splitting ldap and kerb into their own modules.

Actions #8

Updated by stbuehler almost 11 years ago

Don't split ldap... too late for that now :) 1.4.x is the stable series; adding a new module shouldn't break anything, but splitting a module would be a bad idea.

Actions #9

Updated by GrayTShirt almost 11 years ago

Hmmm, point taken, I won't split ldap.

Actions #10

Updated by gstrauss about 8 years ago

Dan (@GrayTShirt): I took a look at
A couple of those patches have been (at least partially) fixed in lighttpd.

The Kerberos/GSSAPI delegation support needs to be reworked to be a separate module from mod_auth (e.g. mod_auth_gssapi to more closely match the directive names). However, some infrastructure work needs to be done in lighttpd to have modules register themselves with mod_auth. Would you be willing to work on that with me?

Actions #11

Updated by gstrauss almost 8 years ago

4b3a91e6 creates an extensible interface for auth backends, so mod_authn_gssapi.c should now be more straightforward to write.

Actions #12

Updated by gstrauss almost 8 years ago

  • Status changed from New to Patch Pending
  • Target version set to 1.4.42

Note: mod_authn_gssapi is experimental and needs further review and testing. YMMV.

Actions #13

Updated by gstrauss almost 8 years ago

  • Status changed from Patch Pending to Fixed

Also available in: Atom