Apache2 mod_auth_pam with Kerberos 5

Van Emery (Mei Feng) emeryvl at iis.sinica.edu.tw
Tue Mar 30 03:06:03 UTC 2004 

Hello,

Wondering if anyone out there is using mod_auth_pam for Apache
authentication against a back-end Kerb 5 KDC?  The module does not have
much documentation, but I have it working on a test box.

My question:  is there a better module to use and/or good documentation
on using a backend Kerb 5 infrastructure to authenticate users on a
TLS/SSL-equipped Apache 2 server?  

I am using PAM as a "universal proxy" to authenticate from Kerberos. 
This has worked so far with console login, sshd, and pop3s.

I would appreciate any information that is available.  Thanks in
advance!

Best Regards,

Van


===========================================================
Installation/Configuration notes for working test server:
===========================================================

mod_auth_pam / Apache 2 / Kerberos 5 / NIS

ENVIRONMENT:

Red Hat 9 with the following components:

httpd-2.0.40-21.9
httpd-devel-2.0.40-21.9      ** May be necessary, contains APXS

krb5-devel-1.2.7-14
krb5-libs-1.2.7-14
krb5-workstation-1.2.7-14

pam-0.75-48
pam-devel-0.75-48          ** This package is necessary to compile
mod_auth_pam
pam_krb5-1.60-1

Network authentication handled by two centralized MIT Kerberos 5
servers, naming handled by NIS master and slave.


INSTALLATION:

Mainly followed instructions at http://pam.sourceforge.net/mod_auth_pam/
.  Downloaded "mod_auth_pam-2.0-1.1.1.tar.gz", gunzipped and untarred. 
Moved into new directory and used the:

make 
make install

commands to compile.  (If you do not have the pam-devel RPM installed,
you will not be able to compile)

These new modules appear in /usr/lib/httpd/modules:

  mod_auth_pam.so
  mod_auth_sys_group.so


CONFIGURATION:

/ETC/HTTPD/CONF/HTTPD.CONF 

Assuming that you already have a working Apache/httpd config, you will
need to modify /etc/httpd/conf/httpd.conf.  Add the following entries
under the "Dynamic Shared Object (DSO) Support" section:

LoadModule auth_pam_module modules/mod_auth_pam.so
LoadModule auth_sys_group_module modules/mod_auth_sys_group.so

/ETC/HTTPD/CONF.D/SSL.CONF

Assuming you have properly setup and tested your SSL certificates, keys,
and basic configuration file, here are the configuration statements that
I added to protect the "/var/www/tls/tpk5" directory tree:

<Directory "/var/www/tls/tpk5">
	AuthType Basic
	AuthName "Kerb 5 Username and Password Required"
	Require valid-user

        AllowOverride None
</Directory>

"/var/www/tls" is the document root for my Apache https server.


/ETC/PAM.D/HTTPD

To allow HTTP authentication based on the Kerberos 5 PAM module, this is
how I setup my /etc/pam.d/httpd config file:

#%PAM-1.0

auth        required    /lib/security/$ISA/pam_env.so
auth        sufficient  /lib/security/$ISA/pam_krb5.so minimum_uid=5000
auth        required    /lib/security/$ISA/pam_deny.so
account     required    /lib/security/$ISA/pam_krb5.so


After the configuration changes, Apache must be restarted.

LOGGING:

Here is what we see in the logs for a successful authentication:

/var/log/messages:  

Mar 30 09:51:32 demo2 httpd: pam_krb5: authentication succeeds for
`van1'

/var/log/httpd/ssl_access_log

142.107.22.41 - van1 [30/Mar/2004:09:51:32 +0800] "GET
/tpk5/introduction.html HTTP/1.1" 200 13692

On the KDC:  /var/log/krb5kdc.log

Mar 30 09:51:32 das.its.edu.tw krb5kdc[25165](info): AS_REQ (3 etypes
{16 3 1}) 142.107.22.41(88): ISSUE: authtime 1080611492, etypes {rep=16
tkt=16 ses=16}, van1 at ITS.IIS for krbtgt/IT.IIS at IT.IIS
Mar 30 09:51:32 das.its.edu.tw krb5kdc[25165](info): AS_REQ (3 etypes
{16 3 1}) 142.107.22.41(88): ISSUE: authtime 1080611492, etypes {rep=16
tkt=16 ses=16}, van1 at ITS.IIS for krbtgt/IT.IIS at IT.IIS


Here is what we see in the logs for an unsuccessful authentication:

/var/log/messages:

Mar 30 10:26:43 demo2 httpd: pam_krb5: authenticate error: Decrypt
integrity check failed (-1765328353)
Mar 30 10:26:43 demo2 httpd: pam_krb5: authentication fails for `kitty'

/var/log/httpd/ssl_error_log

[Tue Mar 30 10:26:43 2004] [error] [client 142.107.22.41] PAM: user
'kitty' - not authenticated: Authentication failure, referer:
https://demo2.iis.sinica.edu.tw/

NOTES:

>From watching a packet analyzer, it appears as if two Kerb 5 requests
are issued for every page request in the protected directory of the
server.



-- 

===================================

       Van Emery (Mei Feng)

       Academia Sinica IIS
       Room 402
       Tel: 2788-3799 x1457

     emeryvl at iis.sinica.edu.tw

===================================

More information about the Pam-list mailing list