Feature #1899
closedKerberos/GSSAPI Delegation Support
Description
This patch set adds Kerberos/GSSAPI authentication and delegation support to lighttpd trunk r2393. This allows lighttpd to accept a user's tickets and act on their principal's behalf.
Features:¶
- SPNEGO/Negotiate ticket delegation
- KRB5CCNAME environment propagation (to mod_cgi, mod_proxy_core, etc)
- tested with MIT Kerberos 5 v1.6.3
- multi-homed server principal support
Example Configuration:¶
auth.backend = "gssapi" auth.backend.gssapi.principal = "HTTP" auth.backend.gssapi.keytab = "/etc/lighttpd/keytab" auth.require = ( "/" => ( "method" => "gssapi", "realm" => "ATHENA.MIT.EDU", "require" => "valid-user"))
Note: you must enable "Negotiate" authentication and delegation in your browser or client for this to work. For example, Firefox requires two variables be set: network.negotiate-auth.delegation-uris
and network.negotiate-auth.trusted-uris
.
Files
Updated by presbrey over 15 years ago
Attached is an updated patch additionally supporting authentication by Kerberos password. When enabled, credentials are requested via Basic Authentication supplementing GSSAPI/Negotiate. This option is disabled by default. Please use SSL when accepting authentication credentials! :)
Example:¶
auth.backend.gssapi.passwd = "enable"
Output:
$ curl -v https://localhost < HTTP/1.1 401 Unauthorized < WWW-Authenticate: Negotiate < WWW-Authenticate: Basic realm="Kerberos" < Server: lighttpd/1.5.0
Other Notes¶
This feature is based heavily on Apache mod_auth_kerb's KrbMethodK5Passwd directive. KDC verification against local keytab (KrbVerifyKDC) is ALWAYS performed.
Updated by presbrey over 15 years ago
Attached patch to r2505, tested compatible through latest trunk (r2585).
Updated by Clicky over 14 years ago
Any progress on this? This says that 100% of the work has been done (for more than a year!). And yet, I could not find that auth module in a single release so far. :(
Updated by presbrey over 14 years ago
This feature is completed for lighttpd 1.5 but there aren't yet any 1.5 releases. Here's how to patch and install your own lighttpd 1.5:
$ svn co svn://svn.lighttpd.net/lighttpd/trunk U trunk Checked out revision 2769. $ cd trunk $ wget http://redmine.lighttpd.net/attachments/download/963/lighty-gssapi-r2505.patch $ patch -p1 < lighty-gssapi-r2505.patch patching file src/http_auth.c Hunk #2 succeeded at 1248 (offset 8 lines). patching file src/http_auth.h patching file src/keyvalue.h patching file src/mod_auth.c $ ./autogen.sh $ ./configure $ make install
Updated by GrayTShirt over 11 years ago
I updated this patch to work with 1.4.32. I've been testing in my Gentoo Overlay
https://raw.github.com/GrayTShirt/phoenix-overlay/master/www-servers/lighttpd/files/lighttpd-1.4.32-gssapi.patch
Updated by stbuehler over 11 years ago
- Missing in 1.5.x set to No
white-space changes, changed configure option name, C99 comments (//), mixed tabs/spaces for indent in c source - not good to get stuff merged.
But the main problem is that I don't like adding another 1000 lines to mod_auth; I'd be more open to add a new module instead (LDAP should have been put in a separate module too).
Updated by GrayTShirt over 11 years ago
Thanks for the feedback. I'll clean it up and see what I can do about splitting ldap and kerb into their own modules.
Updated by stbuehler over 11 years ago
Don't split ldap... too late for that now :) 1.4.x is the stable series; adding a new module shouldn't break anything, but splitting a module would be a bad idea.
Updated by gstrauss over 8 years ago
Dan (@GrayTShirt): I took a look at https://github.com/GrayTShirt/phoenix-overlay/tree/master/www-servers/lighttpd/files/
A couple of those patches have been (at least partially) fixed in lighttpd.
The Kerberos/GSSAPI delegation support needs to be reworked to be a separate module from mod_auth (e.g. mod_auth_gssapi to more closely match the directive names). However, some infrastructure work needs to be done in lighttpd to have modules register themselves with mod_auth. Would you be willing to work on that with me?
Updated by gstrauss over 8 years ago
4b3a91e6 creates an extensible interface for auth backends, so mod_authn_gssapi.c should now be more straightforward to write.
Updated by gstrauss about 8 years ago
- Status changed from New to Patch Pending
- Target version set to 1.4.42
Note: mod_authn_gssapi is experimental and needs further review and testing. YMMV.
Updated by gstrauss about 8 years ago
- Status changed from Patch Pending to Fixed
Applied in changeset 1c1a63786eebd509674e445a0db3307ffa3e284c.
Also available in: Atom