openbsd-ports/www/mod_auth_kerb/files
alek d6c120a22b - Better gramma
- Bump PKGNAME

From Mark Peoples at asu dot edu via Chris Kuethe <chris.kuethe@gmail.com>
2005-11-04 09:31:25 +00:00
..
mod_auth_kerb-enable
README - Better gramma 2005-11-04 09:31:25 +00:00

$OpenBSD: README,v 1.2 2005/11/04 09:31:25 alek Exp $

If you haven't already run the module enabler, you can manually enable
Kerberos support by adding the following lines into httpd.conf near the
other authentication modules.

	# user authentication using kerberos
	LoadModule auth_kerb_module /usr/lib/apache/modules/mod_auth_kerb.so

To require Kerberos authenication for a directory (or file or location),
enclose that location in a block that looks like this. The mod_auth_kerb
documentation is a bit sketchy yet, but this was taken from a working OpenBSD
machine using mod_auth_kerb. Only the names have been changed to protect
the realm. Obviously, you must have Kerberos working before this module can
do anything useful.

	# A Kerberos Authenticated Directory
	<Directory /var/www/htdocs/private>
		AuthType Kerberos
		AuthName "Kerberos Userid and Password"
		KrbMethodNegotiate off
		KrbMethodK5Passwd on
		KrbAuthRealms YOUR.REALM
		KrbVerifyKDC on
		Krb5Keytab /var/www/conf/httpd.keytab
		KrbServiceName http
		require valid-user
	</Directory>

It is suggested that you create a keytab for httpd that is readable but not
writeable by apache, and has no relation to your other Kerberos keys. One
way to do this:

	ktutil -k /var/www/conf/httpd.keytab add -V 1 -e des-cbc-crc \
		-w PASSWORD -p http/host.domain.tld@REALM.TLD
	chown root:www /var/www/conf/httpd.keytab
	chmod 0440 /var/www/conf/httpd.keytab

Thus, if httpd is ever convinced to give access to the keytab, it will be
unable to make changes to the keytab, and will be unable to do anything more
than serve up its own keytab (which is bad enough).