mod_auth_kerb+ apacahe+kerberos

Martin Simovic msimovic at concurrent-thinking.com
Sun Jun 29 07:20:55 EDT 2008


On Sun, 2008-06-29 at 16:31 +0530, kul gupta wrote:
> Hello
> 
> I want to use the module "auth_mod_kerb" for the web authentication .
> Currently i m trying on RedHat enterprise linix 5.0
> 
> I have Openssl 0.9.8 g installed on it
> But when i m trying to install "apachae with ssl " ,i m getting some error.
> Without ssl apache is getting installed properly
> 
> Is it necessary to have "apache with ssl  "   for working with
> "auth_mod_kerb" ??
> If yes ,how can i proceed for the same
> 
> I will highly appreciate if someone can help me on this issue.
> 
> 
> Thanks
> Regards
> KUL
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

Hi,

'some error' does not actually help us to solve your problem. this is
redhat specific and has nothing to do with kerberos or auth. whatsoever
at this stage. look at the redhat docs (which used to be very good -
last one i used was 'shrike' :) ) for the troubleshooting of apache SSL
installation.

to answer your question: for apache auth_mod_krb SSL is recomended,
however not necessary. the fact is, it would work without it, but it's
definitely something you do not want to do. without SSL your kerberos
passwords will fly to the web server in cleartext (yes) and therefore
totally compromise your kerberos infrastructure (all your kerberized
services use the same useraname/password yes?)

apart from that, if your goal is to implement SSO solution (so that your
users will use kerberos TGT rather than password -but you never know
what will user do ;) ) the firefox (and IE) plugin is configured to
authenticate only to kerberos enabled websites over SSL - you would have
to override this in about:config setting for each of your URL's in
firefox (no idea for IE).

summary: you want SSL

there is a nice docs here (recommend reading through)
http://modauthkerb.sourceforge.net/index.html

Martin.




More information about the Kerberos mailing list