d6c120a22b
- Bump PKGNAME From Mark Peoples at asu dot edu via Chris Kuethe <chris.kuethe@gmail.com> |
||
---|---|---|
.. | ||
mod_auth_kerb-enable | ||
README |
$OpenBSD: README,v 1.2 2005/11/04 09:31:25 alek Exp $ If you haven't already run the module enabler, you can manually enable Kerberos support by adding the following lines into httpd.conf near the other authentication modules. # user authentication using kerberos LoadModule auth_kerb_module /usr/lib/apache/modules/mod_auth_kerb.so To require Kerberos authenication for a directory (or file or location), enclose that location in a block that looks like this. The mod_auth_kerb documentation is a bit sketchy yet, but this was taken from a working OpenBSD machine using mod_auth_kerb. Only the names have been changed to protect the realm. Obviously, you must have Kerberos working before this module can do anything useful. # A Kerberos Authenticated Directory <Directory /var/www/htdocs/private> AuthType Kerberos AuthName "Kerberos Userid and Password" KrbMethodNegotiate off KrbMethodK5Passwd on KrbAuthRealms YOUR.REALM KrbVerifyKDC on Krb5Keytab /var/www/conf/httpd.keytab KrbServiceName http require valid-user </Directory> It is suggested that you create a keytab for httpd that is readable but not writeable by apache, and has no relation to your other Kerberos keys. One way to do this: ktutil -k /var/www/conf/httpd.keytab add -V 1 -e des-cbc-crc \ -w PASSWORD -p http/host.domain.tld@REALM.TLD chown root:www /var/www/conf/httpd.keytab chmod 0440 /var/www/conf/httpd.keytab Thus, if httpd is ever convinced to give access to the keytab, it will be unable to make changes to the keytab, and will be unable to do anything more than serve up its own keytab (which is bad enough).