Project

General

Profile

Feature #1899

Kerberos/GSSAPI Delegation Support

Added by presbrey almost 11 years ago. Updated over 3 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_auth
Target version:
Start date:
2009-02-12
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:
No

Description

This patch set adds Kerberos/GSSAPI authentication and delegation support to lighttpd trunk r2393. This allows lighttpd to accept a user's tickets and act on their principal's behalf.

Features:

  • SPNEGO/Negotiate ticket delegation
  • KRB5CCNAME environment propagation (to mod_cgi, mod_proxy_core, etc)
  • tested with MIT Kerberos 5 v1.6.3
  • multi-homed server principal support

Example Configuration:

auth.backend = "gssapi" 
auth.backend.gssapi.principal = "HTTP" 
auth.backend.gssapi.keytab = "/etc/lighttpd/keytab" 
auth.require = ( "/" => ( "method" => "gssapi", "realm" => "ATHENA.MIT.EDU", "require" => "valid-user"))

Note: you must enable "Negotiate" authentication and delegation in your browser or client for this to work. For example, Firefox requires two variables be set: network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.


Files

lighty-gssapi-1.5_presbrey.patch (17.2 KB) lighty-gssapi-1.5_presbrey.patch Main GSSAPI patch presbrey, 2009-02-12 23:35
lighty-fixes-1.5_presbrey.patch (1.14 KB) lighty-fixes-1.5_presbrey.patch Misc fixes to trunk presbrey, 2009-02-12 23:35
lighty-gssapi-r2476.patch (28.4 KB) lighty-gssapi-r2476.patch presbrey, 2009-04-27 14:47
lighty-gssapi-r2505.patch (28.9 KB) lighty-gssapi-r2505.patch presbrey, 2009-07-14 14:54
#1

Updated by presbrey over 10 years ago

Attached is an updated patch additionally supporting authentication by Kerberos password. When enabled, credentials are requested via Basic Authentication supplementing GSSAPI/Negotiate. This option is disabled by default. Please use SSL when accepting authentication credentials! :)

Example:

auth.backend.gssapi.passwd = "enable"

Output:

$ curl -v https://localhost
< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Kerberos" 
< Server: lighttpd/1.5.0

Other Notes

This feature is based heavily on Apache mod_auth_kerb's KrbMethodK5Passwd directive. KDC verification against local keytab (KrbVerifyKDC) is ALWAYS performed.

#2

Updated by presbrey over 10 years ago

Attached patch to r2505, tested compatible through latest trunk (r2585).

#3

Updated by Clicky over 9 years ago

Any progress on this? This says that 100% of the work has been done (for more than a year!). And yet, I could not find that auth module in a single release so far. :(

#4

Updated by presbrey over 9 years ago

This feature is completed for lighttpd 1.5 but there aren't yet any 1.5 releases. Here's how to patch and install your own lighttpd 1.5:

$ svn co svn://svn.lighttpd.net/lighttpd/trunk
 U   trunk
Checked out revision 2769.
$ cd trunk
$ wget http://redmine.lighttpd.net/attachments/download/963/lighty-gssapi-r2505.patch
$ patch -p1 < lighty-gssapi-r2505.patch 
patching file src/http_auth.c
Hunk #2 succeeded at 1248 (offset 8 lines).
patching file src/http_auth.h
patching file src/keyvalue.h
patching file src/mod_auth.c
$ ./autogen.sh
$ ./configure
$ make install
#5

Updated by GrayTShirt over 6 years ago

I updated this patch to work with 1.4.32. I've been testing in my Gentoo Overlay
https://raw.github.com/GrayTShirt/phoenix-overlay/master/www-servers/lighttpd/files/lighttpd-1.4.32-gssapi.patch

#6

Updated by stbuehler over 6 years ago

  • Missing in 1.5.x set to No

white-space changes, changed configure option name, C99 comments (//), mixed tabs/spaces for indent in c source - not good to get stuff merged.

But the main problem is that I don't like adding another 1000 lines to mod_auth; I'd be more open to add a new module instead (LDAP should have been put in a separate module too).

#7

Updated by GrayTShirt over 6 years ago

Thanks for the feedback. I'll clean it up and see what I can do about splitting ldap and kerb into their own modules.

#8

Updated by stbuehler over 6 years ago

Don't split ldap... too late for that now :) 1.4.x is the stable series; adding a new module shouldn't break anything, but splitting a module would be a bad idea.

#9

Updated by GrayTShirt over 6 years ago

Hmmm, point taken, I won't split ldap.

#10

Updated by gstrauss over 3 years ago

Dan (GrayTShirt): I took a look at https://github.com/GrayTShirt/phoenix-overlay/tree/master/www-servers/lighttpd/files/
A couple of those patches have been (at least partially) fixed in lighttpd.

The Kerberos/GSSAPI delegation support needs to be reworked to be a separate module from mod_auth (e.g. mod_auth_gssapi to more closely match the directive names). However, some infrastructure work needs to be done in lighttpd to have modules register themselves with mod_auth. Would you be willing to work on that with me?

#11

Updated by gstrauss over 3 years ago

4b3a91e6 creates an extensible interface for auth backends, so mod_authn_gssapi.c should now be more straightforward to write.

#12

Updated by gstrauss over 3 years ago

  • Status changed from New to Patch Pending
  • Target version set to 1.4.42

Note: mod_authn_gssapi is experimental and needs further review and testing. YMMV.

#13

Updated by gstrauss over 3 years ago

  • Status changed from Patch Pending to Fixed

Also available in: Atom