SPNEGO APIs and Apache modules

Daniel Kouril kouril at ics.muni.cz
Mon Sep 8 09:30:05 EDT 2003


Frank Balluffi wrote:
> Markus Moeller and I have made SPNEGO C APIs and Apache modules 
> available at https://sourceforge.net/projects/modgssapache/. The project 
> contains three packages:
> 
> fbopenssl
> mod_spnego
> modgssapache
> 
> fbopenssl (for lack of a better name) is a library of extensions to 
> OpenSSL, including APIs for GSS-API and SPNEGO ASN.1 messages (or PDUs). 
> fbopenssl has been tested on Linux, Microsoft Windows and Sun Solaris. 
> fbopenssl still needs to be tested for memory leaks using a tool like 
> Purify.
> 
> mod_spnego is an Apache 2.0 SPNEGO module that supports Kerberos 
> authentication and user-level authorization. mod_spnego uses fbopenssl, 
> MIT GSS-API and OpenSSL. mod_spnego has been tested on Linux, Microsoft 
> Windows and Sun Solaris using Microsoft Internet Explorer 6.0. 
> Currently, mod_spnego does not support Apache 1.3 and group-level 
> authorization.
> 
> modgssapache is a modified version of the Apache 1.3 GSS-API module 
> located at http://meta.cesnet.cz/software/heimdal/negotiate.en.html. 
> This version has been modified to support SPNEGO using open-source 
> SPNEGO APIs from Microsoft. modgssapache has been tested on Linux and 
> Sun Solaris.

FYI, current release (published today) of the modauthkerb module 
available from http://sourceforge.net/projects/modauthkerb also supports 
  the Negotiate method compatible with the Microsoft products. This 
module supports both MIT and Heimdal implementation of Krb5, and allows 
verification of passwords against krb5 and krb4 KDC's. The module 
supports both Apache 1.3 and 2.0.

The SPNEGO routines are mainly based on code from the Heimdal developers 
and don't depend on any additional libs (such as openssl). These 
routines are part of a full SPNEGO implementation I'm just finishing 
(I'm using the krb5 and GSI GSS-API libs for testing).

I'm also preparing SPNEGO support for the Mozilla kerberos "plugin", 
available from negotiateauth.mozdev.org, so that it can use the 
Negotiate method against apache or IIS.

--
Dan



More information about the Kerberos mailing list