Kerberos/GSSAPI Delegation Support
This patch set adds Kerberos/GSSAPI authentication and delegation support to lighttpd trunk r2393. This allows lighttpd to accept a user's tickets and act on their principal's behalf.
- SPNEGO/Negotiate ticket delegation
- KRB5CCNAME environment propagation (to mod_cgi, mod_proxy_core, etc)
- tested with MIT Kerberos 5 v1.6.3
- multi-homed server principal support
auth.backend = "gssapi" auth.backend.gssapi.principal = "HTTP" auth.backend.gssapi.keytab = "/etc/lighttpd/keytab" auth.require = ( "/" => ( "method" => "gssapi", "realm" => "ATHENA.MIT.EDU", "require" => "valid-user"))
Note: you must enable "Negotiate" authentication and delegation in your browser or client for this to work. For example, Firefox requires two variables be set:
Updated by presbrey over 10 years ago
Attached is an updated patch additionally supporting authentication by Kerberos password. When enabled, credentials are requested via Basic Authentication supplementing GSSAPI/Negotiate. This option is disabled by default. Please use SSL when accepting authentication credentials! :)
auth.backend.gssapi.passwd = "enable"
$ curl -v https://localhost < HTTP/1.1 401 Unauthorized < WWW-Authenticate: Negotiate < WWW-Authenticate: Basic realm="Kerberos" < Server: lighttpd/1.5.0
This feature is based heavily on Apache mod_auth_kerb's KrbMethodK5Passwd directive. KDC verification against local keytab (KrbVerifyKDC) is ALWAYS performed.
Updated by presbrey over 9 years ago
This feature is completed for lighttpd 1.5 but there aren't yet any 1.5 releases. Here's how to patch and install your own lighttpd 1.5:
$ svn co svn://svn.lighttpd.net/lighttpd/trunk U trunk Checked out revision 2769. $ cd trunk $ wget http://redmine.lighttpd.net/attachments/download/963/lighty-gssapi-r2505.patch $ patch -p1 < lighty-gssapi-r2505.patch patching file src/http_auth.c Hunk #2 succeeded at 1248 (offset 8 lines). patching file src/http_auth.h patching file src/keyvalue.h patching file src/mod_auth.c $ ./autogen.sh $ ./configure $ make install
Updated by GrayTShirt over 6 years ago
I updated this patch to work with 1.4.32. I've been testing in my Gentoo Overlay
Updated by stbuehler over 6 years ago
- Missing in 1.5.x set to No
white-space changes, changed configure option name, C99 comments (//), mixed tabs/spaces for indent in c source - not good to get stuff merged.
But the main problem is that I don't like adding another 1000 lines to mod_auth; I'd be more open to add a new module instead (LDAP should have been put in a separate module too).
Updated by gstrauss over 3 years ago
Dan (GrayTShirt): I took a look at https://github.com/GrayTShirt/phoenix-overlay/tree/master/www-servers/lighttpd/files/
A couple of those patches have been (at least partially) fixed in lighttpd.
The Kerberos/GSSAPI delegation support needs to be reworked to be a separate module from mod_auth (e.g. mod_auth_gssapi to more closely match the directive names). However, some infrastructure work needs to be done in lighttpd to have modules register themselves with mod_auth. Would you be willing to work on that with me?
Also available in: Atom