[Freeipa-devel] Kerberos implementation issues
Jim Meyering
jim at meyering.net
Wed Jun 22 11:44:35 UTC 2011
Sumit Bose wrote:
> On Tue, Jun 21, 2011 at 04:48:08PM -0600, Pete Zaitcev wrote:
>> On Tue, 21 Jun 2011 18:28:36 -0400
>> Dmitri Pal <dpal at redhat.com> wrote:
>>
>> Dear Dmitri, thanks for the reply. I am reading curl source code
>> now and I notice the distinction between "Negotiate" that comes
>> from SPNEGO, and "GSS-Negotiate". I'm looking for the definition
>> of the latter.
>>
>> > > I am working on adding authentication/authorization
>> > > to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented
>> > > with GNU Microhttpd. [...]
>>
>> > > So far, I gather that so-called "SPNEGO" protocol is what everyone
>> > > uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121).
>> > > There's also a "Kerberos on Widows" thing (4559), which actually
>> > > defines the key pieces such as "WWW-Authenticate: Negotiate".
>>
>> > What web server you are using? It is mostly something that is used
>> > outside the application by the web server itself.
>>
>> As I mentioned, iwhd relies on GNU Microhttpd library to implement
>> a webserver.
>
> According to http://www.gnu.org/software/libmicrohttpd/ there is only
> "Support for basic and digest authentication (optional)". As Dmitri
> already mentioned there is mod_auth_kerb for Apache which offers the
> Negotiate. It does GSSAPI but can handle SPNEGO as well and can
> authenticate an SPNEGO client if it can handle GSSAPI (SPNEGO is
> basically used to choose between GSSAPI or NTLMSSP).
>
> As long as GNU Microhttpd library does not support at least GSSAPI, but
> SPNEGO would be important for Windows clients, or can use Apache's
> mod_auth_kerb somehow, I would recommend like Dmitri to use an Apache in
> front of iwhd and let Apache forward the principal of the authenticated
> user in e.g. X_FORWARDED_USER header variable.
Unfortunately, replacing (in iwhd) an embedded component like libmicrohttpd
may be er, ... challenging. iwhd can be configured to as both server
and client, and can use arbitrary port numbers, so deferring to "Apache"
seems infeasible.
For example, one use case is to run two interconnected iwhd servers,
one upstream and another downstream, as demonstrated in iwhd's
t/replication test case. Even if we were to give up this functionality
(currently not required by any iwhd client), requiring an additional,
private-to-iwhd, kerb-enabled Apache server sounds like disproportionate
overhead for an otherwise small daemon.
Our best bet may be to find an embeddable httpd server that supports GSSAPI.
Do any of you know of one?
More information about the Freeipa-devel
mailing list