Configuring Kerberos for Solaris

Wyllys Ingersoll wyllys.ingersoll at sun.com
Tue Mar 25 11:15:52 EST 2003 

Adams, Ann (A.M.) wrote:
> Ok,
> 
> I have to ask, does SUN have a kerberized hpptd?  

No, the person who  posed the question was trying to configure apache to use
PAM to perform the authentication via Kerberos.    This is NOT the same
as having a truly "Kerberized" http daemon.

Having "proper" Kerberos (or GSSAPI) authentication to the web server requires
a browser which also supports the authentication protocol and currently, as far as I
know, only Microsofts IE supports native GSSAPI authentication and it only works
when talking to an IIS web server.

-Wyllys

 > I thought they only had the standard network services.  I have not seen a reference 
by either
 > SUN, HP, or MIT to a kerberized httpd. Has SUN done any development on web 
authentication via Kerberos?
> 
> I was looking around some of the university sites to see if there was a kerberized web authentication modules available for testing.  My impression was that they had been written but nothing publicly available to test.  
> 
> Dartmouth had publicly available a Kerberos IV module, but I didn't see anything for Kerberos V.  CUSSP is a perl5 module from Cornell University that is referenced below.  Both of these are well documented and clear, but it doesn't appear to continue into the Kerberos V environment.
> 
>  excerpt from Dartmouth web site below:....
> 		Kerberos authentication can be invoked from a CGI script.
> 		There are Perl interfaces to do this. 
> 		The example below shows a CGI that authenticates the user,
> 		 then displays the name(s) and information from the
> 		 ticket(s) that were generated.
> 
> 		In Perl, you can use the GetK4Ticket function to validate a user.
> 		This function is defined in the CUSSP library.
> 
> 		GetK4Ticket is defined as:
> 		($rc, $em, %tckt) = CUSSP::GetK4Ticket("WWW-agent",
> 		 "WWW", $cgi->remote_addr(), undef, $ENV{'REMOTE_PORT'}); 
> 
> 
> If anything I have stated in incorrect, I request correction.  If there are other resources I should be looking at please indicate.
>
> 
> regards,
> Ann Adams
> Computer Architect/SIE
> Ford Motor Company
> 
> 
> 
> -----Original Message-----
> From: Wyllys Ingersoll [mailto:wyllys.ingersoll at sun.com]
> Sent: Monday, March 24, 2003 7:50 PM
> To: Ganesh
> Cc: kerberos at mit.edu
> Subject: Re: Configuring kerberos for Solaris
> 
> 
> Ganesh wrote:
> 
>>I'm trying to configure kerberos, to authenticate the
>>users through Web. I've successfully compiled
>>mod_auth_pam.c on Solaris 8 and am able to authenticate
>>the users, if I use pam_unix.so.1 in my pam.conf file.
>>But if I try to authenticate by using pam_krb5.so.1
>>it fails.
>>
>>I'm using the pam_krb5.so.1 which is shipped along with solaris2.8.
> 
> 
> If you are using the pam_krb5 that shipped with Solaris 2.8 then you
> also need to be using the SEAM package for Solaris 8 (free download
> from www.sun.com).   If you go that route, I recommend making sure
> you have all the latest pam_krb5 and SEAM related patches.
> 
> If you are determined to stick with the MIT Kerberos libraries and not
> use the Solaris Kerberos stuff, then you should probably get a different
> pam_krb5 module (http://www.fcusack.com is one such module).
> 
> -Wyllys
> 
> 
>>A snap shot of my pam.conf file :
>>
>># The commented line works fine
>>#
>>httpd   auth sufficient   /usr/lib/security/$ISA/pam_krb5.so.1
>>#httpd   auth required   /usr/lib/security/$ISA/pam_unix.so.1
>>
>>httpd   account  sufficient     /usr/lib/security/$ISA/pam_krb5.so.1
>>#httpd   account required       /usr/lib/security/$ISA/pam_unix.so.1
>>
>>My /etc/krb5/krb5.conf file ..
>>
>>[libdefaults]
>>   default_realm = INDIA.HP.COM
>>   default_tkt_enctypes = DES-CBC-CRC
>>   default_tgs_enctypes = DES-CBC-CRC
>>   ccache_type = 2
>>
>>[realms]
>>   INDIA.HP.COM = {
>>      kdc = nt40239.india.hp.com:88
>>      admin_server = nt40239.india.hp.com:749
>>      default_domain = india.hp.com
>>}
>>
>>[domain_realm]
>> .india.hp.com = INDIA.HP.COM
>> india.hp.com = INDIA.HP.COM
>>
>>[logging]
>>        kdc = FILE:/var/log/krb5kdc.log
>>        admin_server = FILE:/var/log/kadmin.log
>>        default = FILE:/var/log/krb5lib.log
>>
>>I've also updated the /etc/services file to look into my
>>KDC server.
>>
>>My kDC server(Linux server) is up and running as I'm 
>>able to authenticate the users, with the same KDC if 
>>the client is HP-Ux m/c.
>>
>>Is that I've to make any changes in my krb5.conf file or
>>have to rebuild the pam_krb5.so file ? Please give your
>>inputs!
>>
>>TIA,
>>Ganesh.
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list