52 lines
1.9 KiB
Plaintext
52 lines
1.9 KiB
Plaintext
$OpenBSD: README,v 1.1 2010/11/13 07:44:33 ajacoutot Exp $
|
|
|
|
If you haven't already run the module enabler, you can manually enable
|
|
Kerberos support by adding the following lines into httpd.conf near the
|
|
other authentication modules.
|
|
|
|
# user authentication using kerberos
|
|
LoadModule auth_kerb_module /usr/lib/apache/modules/mod_auth_kerb.so
|
|
|
|
To require Kerberos authenication for a directory (or file or location),
|
|
enclose that location in a block that looks like this. The mod_auth_kerb
|
|
documentation is a bit sketchy yet, but this was taken from a working OpenBSD
|
|
machine using mod_auth_kerb. Only the names have been changed to protect
|
|
the realm. Obviously, you must have Kerberos working before this module can
|
|
do anything useful.
|
|
|
|
# A Kerberos Authenticated Directory
|
|
<Directory /var/www/htdocs/private>
|
|
AuthType Kerberos
|
|
AuthName "Kerberos Userid and Password"
|
|
KrbMethodNegotiate off
|
|
KrbMethodK5Passwd on
|
|
KrbAuthRealms YOUR.REALM
|
|
KrbVerifyKDC on
|
|
Krb5Keytab /var/www/conf/httpd.keytab
|
|
KrbServiceName http
|
|
require valid-user
|
|
</Directory>
|
|
|
|
It is suggested that you create a keytab for httpd that is readable but not
|
|
writeable by apache, and has no relation to your other Kerberos keys. One
|
|
way to do this:
|
|
|
|
ktutil -k /var/www/conf/httpd.keytab add -V 1 -e des-cbc-crc \
|
|
-w PASSWORD -p http/host.domain.tld@YOUR.REALM
|
|
|
|
Depending on your ID management system, you may be able to simply "get" a
|
|
principal, though you will needed the appropriate kdc privileges to do so:
|
|
|
|
ktutil -k /var/www/conf/httpd.keytab get \
|
|
http/host.domain.tld@YOUR.REALM
|
|
|
|
Once you have created the keytab with the web server's principal, you should
|
|
restrict permissions on the keytab:
|
|
|
|
chown root:www /var/www/conf/httpd.keytab
|
|
chmod 0440 /var/www/conf/httpd.keytab
|
|
|
|
Thus, if httpd is ever convinced to give access to the keytab, it will be
|
|
unable to make changes to the keytab, and will be unable to do anything more
|
|
than serve up its own keytab (which is bad enough).
|