Apache modules compatible with kerberos in 1.7b

[Wyllys Ingersoll]

Nikola Milutinovic wrote:
> Wyllys Ingersoll wrote:
> 
>> Travis Crawford wrote:
>>
>>> What Apache module(s) are compatible with the Kerberos implementation
>>> in Mozilla 1.7b? A couple modules are available: mod_auth_kerb and
>>> mod_auth_gss_krb5.
>>>
>>> So far I set up mod_auth_kerb and can login by entering my username
>>> and password in the browser, but it's not automatic. I haven't tried
>>> mod_auth_gss_krb5 because it seems a bit rough around the edges.
>>> What's the recommended way to configure your Apache web server for
>>> Kerberos authentication through Mozilla? Thanks.
> 
> 
> Any comment on these various modules?
> 
> I ran into Kerberos Mods for Apache, but they were not using 
> HTTP/NEGOTIATE, but HTTP/BASIC and Apache was acting as a Kerberos 
> client, not server. The one that lets Apache act as a server and browser 
> act like a Kerberos client, is mod_negotiate. It is for MIT Kerberos and 
> I'm taking some time converting it to Heimdal.

Any module that just has the server authenticating on behalf of the
client and involves sending name/password over the wire with Basic auth
is just not very interesting (at least to me).

Also, as far as I can tell "mod_negotiate" is used for negotiating
some sort of HTML content, its not related to authentication negotiation
at all.  Perhaps I didn't find the right module though.

Daniel Kouril's mod_auth_kerb is a pretty good implementation and
does the "right thing" w.r.t using GSSAPI authentication correctly.
It does have a fallback scenario where it will use Basic auth
to then request tickets on behalf of the client, but that can be
removed easily enough.

-Wyllys