Apache2 mod_auth_pam with Kerberos 5
Van Emery (Mei Feng)
emeryvl at iis.sinica.edu.tw
Tue Mar 30 03:06:03 UTC 2004
Hello,
Wondering if anyone out there is using mod_auth_pam for Apache
authentication against a back-end Kerb 5 KDC? The module does not have
much documentation, but I have it working on a test box.
My question: is there a better module to use and/or good documentation
on using a backend Kerb 5 infrastructure to authenticate users on a
TLS/SSL-equipped Apache 2 server?
I am using PAM as a "universal proxy" to authenticate from Kerberos.
This has worked so far with console login, sshd, and pop3s.
I would appreciate any information that is available. Thanks in
advance!
Best Regards,
Van
===========================================================
Installation/Configuration notes for working test server:
===========================================================
mod_auth_pam / Apache 2 / Kerberos 5 / NIS
ENVIRONMENT:
Red Hat 9 with the following components:
httpd-2.0.40-21.9
httpd-devel-2.0.40-21.9 ** May be necessary, contains APXS
krb5-devel-1.2.7-14
krb5-libs-1.2.7-14
krb5-workstation-1.2.7-14
pam-0.75-48
pam-devel-0.75-48 ** This package is necessary to compile
mod_auth_pam
pam_krb5-1.60-1
Network authentication handled by two centralized MIT Kerberos 5
servers, naming handled by NIS master and slave.
INSTALLATION:
Mainly followed instructions at http://pam.sourceforge.net/mod_auth_pam/
. Downloaded "mod_auth_pam-2.0-1.1.1.tar.gz", gunzipped and untarred.
Moved into new directory and used the:
make
make install
commands to compile. (If you do not have the pam-devel RPM installed,
you will not be able to compile)
These new modules appear in /usr/lib/httpd/modules:
mod_auth_pam.so
mod_auth_sys_group.so
CONFIGURATION:
/ETC/HTTPD/CONF/HTTPD.CONF
Assuming that you already have a working Apache/httpd config, you will
need to modify /etc/httpd/conf/httpd.conf. Add the following entries
under the "Dynamic Shared Object (DSO) Support" section:
LoadModule auth_pam_module modules/mod_auth_pam.so
LoadModule auth_sys_group_module modules/mod_auth_sys_group.so
/ETC/HTTPD/CONF.D/SSL.CONF
Assuming you have properly setup and tested your SSL certificates, keys,
and basic configuration file, here are the configuration statements that
I added to protect the "/var/www/tls/tpk5" directory tree:
<Directory "/var/www/tls/tpk5">
AuthType Basic
AuthName "Kerb 5 Username and Password Required"
Require valid-user
AllowOverride None
</Directory>
"/var/www/tls" is the document root for my Apache https server.
/ETC/PAM.D/HTTPD
To allow HTTP authentication based on the Kerberos 5 PAM module, this is
how I setup my /etc/pam.d/httpd config file:
#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_krb5.so minimum_uid=5000
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_krb5.so
After the configuration changes, Apache must be restarted.
LOGGING:
Here is what we see in the logs for a successful authentication:
/var/log/messages:
Mar 30 09:51:32 demo2 httpd: pam_krb5: authentication succeeds for
`van1'
/var/log/httpd/ssl_access_log
142.107.22.41 - van1 [30/Mar/2004:09:51:32 +0800] "GET
/tpk5/introduction.html HTTP/1.1" 200 13692
On the KDC: /var/log/krb5kdc.log
Mar 30 09:51:32 das.its.edu.tw krb5kdc[25165](info): AS_REQ (3 etypes
{16 3 1}) 142.107.22.41(88): ISSUE: authtime 1080611492, etypes {rep=16
tkt=16 ses=16}, van1 at ITS.IIS for krbtgt/IT.IIS at IT.IIS
Mar 30 09:51:32 das.its.edu.tw krb5kdc[25165](info): AS_REQ (3 etypes
{16 3 1}) 142.107.22.41(88): ISSUE: authtime 1080611492, etypes {rep=16
tkt=16 ses=16}, van1 at ITS.IIS for krbtgt/IT.IIS at IT.IIS
Here is what we see in the logs for an unsuccessful authentication:
/var/log/messages:
Mar 30 10:26:43 demo2 httpd: pam_krb5: authenticate error: Decrypt
integrity check failed (-1765328353)
Mar 30 10:26:43 demo2 httpd: pam_krb5: authentication fails for `kitty'
/var/log/httpd/ssl_error_log
[Tue Mar 30 10:26:43 2004] [error] [client 142.107.22.41] PAM: user
'kitty' - not authenticated: Authentication failure, referer:
https://demo2.iis.sinica.edu.tw/
NOTES:
>From watching a packet analyzer, it appears as if two Kerb 5 requests
are issued for every page request in the protected directory of the
server.
--
===================================
Van Emery (Mei Feng)
Academia Sinica IIS
Room 402
Tel: 2788-3799 x1457
emeryvl at iis.sinica.edu.tw
===================================
More information about the Pam-list
mailing list