How to kerberized Apache

Ido Levy IDOL at il.ibm.com
Thu Feb 21 09:33:03 EST 2008 

Hello All,

Following my post to the list and the great help I got from members cc to
this email,
I would like to share the way to kerberized apache.

Browser Settings

In my case it is firefox 2.0.0.9

Using the config:about utility of the firefox browser I set the following
parameters:

network.negotiate-auth.delegation-uris = https://,http://
network.negotiate-auth.trusted-uris = https://,http://

Note: this settings are done per user, these parameters are considered
private.

Client Settings

The machine you login in to needs to be part of your kerberos environment
and the user must have the TGT ticket

Web Server Settings

In my case it is httpd-2.2.3-11.el5 running on RHEL 5.1 64 bit
architecture.

1) Create HTTP service principal for the web server machine.
2) Create keytab file containing the HTTP service principal and locate the
file under the web server
   configuration directory. Make sure the apache user has the right
privileges for this file.
3) Compile the module mode_auth_kerb.
   Detailed instructions can be found at
http://modauthkerb.sourceforge.net/configure.html
4) Load the module and set some basic configuration in apache configuration
file

      /etc/httpd/conf/httpd.conf

            LoadModule auth_kerb_module modules/mod_auth_kerb.so


            Under the RootDirectory or any other directory you would like,
set the following:

            <Directory "/var/www/html">

                  AuthType Kerberos
                  AuthName "Kerberos Login"
                  KrbAuthRealms <REALM>
                  KrbServiceName HTTP
                  Krb5Keytab /etc/httpd/conf.d/krb5.http
                  KrbMethodK5Passwd on
                  KrbSaveCredentials on
                  require valid-user

                  AllowOverride All AuthConfig
                  Order allow,deny
                  Allow from all
            </Directory>

5) Restart the web server

      service httpd restart

6) In order to restrict access to specific directories you can use
the .htaccess file with the following format:

      AuthType Kerberos
      AuthName "Kerberos Login"
      KrbAuthRealms REALM
      KrbMethodK5Passwd on
      require user <USER1>@REALM <USER2>@REALM

      Just place the file under the relevant directory.

Best Regards,

Ido Levy

More information about the Kerberos mailing list