Announcing mod_auth_gssapi
Simo Sorce
simo at redhat.com
Thu Aug 14 18:06:50 EDT 2014
Hello list,
I have recently released a new module for Apache called mod_auth_gssapi
to modernize a little bit on the ancient and substantially unmaintained
mod_auth_kerb.
The code is here on github[1] for now, and packages will soon be
available for Fedora (and any other distro that wants to pick it up).
Highlights are:
- uses exclusively GSSAPI calls
- requires a modern MIT Kerberos version (at least 1.11)
- supports storing a bearer token in a secure, http-only, session cookie
automatically to avoid multiple round-trips in applications
- support enforcing the use of a TLS connection
- experimental support for channel bindings (depends on an unaccepted
Apache patch and browser support).
- optionally exports delegated credentials to support s4u2proxy based
operations in web applications
I had fun coding this, which started as an experiment on a boring plane
trip, I hope it can be of use to others.
Simo.
[1] https://github.com/modauthgssapi/mod_auth_gssapi
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list