Announcing mod_auth_gssapi

Simo Sorce simo at redhat.com
Thu Aug 14 18:06:50 EDT 2014


Hello list,
I have recently released a new module for Apache called mod_auth_gssapi
to modernize a little bit on the ancient and substantially unmaintained
mod_auth_kerb.

The code is here on github[1] for now, and packages will soon be
available for Fedora (and any other distro that wants to pick it up).

Highlights are:
- uses exclusively GSSAPI  calls
- requires a modern MIT Kerberos version (at least 1.11)
- supports storing a bearer token in a secure, http-only, session cookie
automatically to avoid multiple round-trips in applications
- support enforcing the use of a TLS connection
- experimental support for channel bindings (depends on an unaccepted
Apache patch and browser support).
- optionally exports delegated credentials to support s4u2proxy based
operations in web applications

I had fun coding this, which started as an experiment on a boring plane
trip, I hope it can be of use to others.

Simo.

[1] https://github.com/modauthgssapi/mod_auth_gssapi

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the Kerberos mailing list