Announcing mod_auth_gssapi

Russ Allbery eagle at eyrie.org
Thu Aug 14 18:22:19 EDT 2014


Simo Sorce <simo at redhat.com> writes:

> I have recently released a new module for Apache called mod_auth_gssapi
> to modernize a little bit on the ancient and substantially unmaintained
> mod_auth_kerb.

> The code is here on github[1] for now, and packages will soon be
> available for Fedora (and any other distro that wants to pick it up).

> Highlights are:
> - uses exclusively GSSAPI  calls
> - requires a modern MIT Kerberos version (at least 1.11)
> - supports storing a bearer token in a secure, http-only, session cookie
> automatically to avoid multiple round-trips in applications
> - support enforcing the use of a TLS connection
> - experimental support for channel bindings (depends on an unaccepted
> Apache patch and browser support).
> - optionally exports delegated credentials to support s4u2proxy based
> operations in web applications

> I had fun coding this, which started as an experiment on a boring plane
> trip, I hope it can be of use to others.

Oh, excellent!  I'd been meaning to do the same thing for years and never
got to it, so I'm very glad you did.  That sounds very interesting!  Thank
you!

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list