Hello, Wondering if anyone out there is using mod_auth_pam for Apache authentication against a back-end Kerb 5 KDC? The module does not have much documentation, but I have it working on a test box. My question: is there a better module to use and/or good documentation on using a backend Kerb 5 infrastructure to authenticate users on a TLS/SSL-equipped Apache 2 server? I am using PAM as a "universal proxy" to authenticate from Kerberos. This has worked so far with console login, sshd, and pop3s. I would appreciate any information that is available. Thanks in advance! Best Regards, Van =========================================================== Installation/Configuration notes for working test server: =========================================================== mod_auth_pam / Apache 2 / Kerberos 5 / NIS ENVIRONMENT: Red Hat 9 with the following components: httpd-2.0.40-21.9 httpd-devel-2.0.40-21.9 ** May be necessary, contains APXS krb5-devel-1.2.7-14 krb5-libs-1.2.7-14 krb5-workstation-1.2.7-14 pam-0.75-48 pam-devel-0.75-48 ** This package is necessary to compile mod_auth_pam pam_krb5-1.60-1 Network authentication handled by two centralized MIT Kerberos 5 servers, naming handled by NIS master and slave. INSTALLATION: Mainly followed instructions at http://pam.sourceforge.net/mod_auth_pam/ . Downloaded "mod_auth_pam-2.0-1.1.1.tar.gz", gunzipped and untarred. Moved into new directory and used the: make make install commands to compile. (If you do not have the pam-devel RPM installed, you will not be able to compile) These new modules appear in /usr/lib/httpd/modules: mod_auth_pam.so mod_auth_sys_group.so CONFIGURATION: /ETC/HTTPD/CONF/HTTPD.CONF Assuming that you already have a working Apache/httpd config, you will need to modify /etc/httpd/conf/httpd.conf. Add the following entries under the "Dynamic Shared Object (DSO) Support" section: LoadModule auth_pam_module modules/mod_auth_pam.so LoadModule auth_sys_group_module modules/mod_auth_sys_group.so /ETC/HTTPD/CONF.D/SSL.CONF Assuming you have properly setup and tested your SSL certificates, keys, and basic configuration file, here are the configuration statements that I added to protect the "/var/www/tls/tpk5" directory tree: <Directory "/var/www/tls/tpk5"> AuthType Basic AuthName "Kerb 5 Username and Password Required" Require valid-user AllowOverride None </Directory> "/var/www/tls" is the document root for my Apache https server. /ETC/PAM.D/HTTPD To allow HTTP authentication based on the Kerberos 5 PAM module, this is how I setup my /etc/pam.d/httpd config file: #%PAM-1.0 auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_krb5.so minimum_uid=5000 auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_krb5.so After the configuration changes, Apache must be restarted. LOGGING: Here is what we see in the logs for a successful authentication: /var/log/messages: Mar 30 09:51:32 demo2 httpd: pam_krb5: authentication succeeds for `van1' /var/log/httpd/ssl_access_log 142.107.22.41 - van1 [30/Mar/2004:09:51:32 +0800] "GET /tpk5/introduction.html HTTP/1.1" 200 13692 On the KDC: /var/log/krb5kdc.log Mar 30 09:51:32 das.its.edu.tw krb5kdc[25165](info): AS_REQ (3 etypes {16 3 1}) 142.107.22.41(88): ISSUE: authtime 1080611492, etypes {rep=16 tkt=16 ses=16}, van1@xxxxxxx for krbtgt/IT.IIS@xxxxxx Mar 30 09:51:32 das.its.edu.tw krb5kdc[25165](info): AS_REQ (3 etypes {16 3 1}) 142.107.22.41(88): ISSUE: authtime 1080611492, etypes {rep=16 tkt=16 ses=16}, van1@xxxxxxx for krbtgt/IT.IIS@xxxxxx Here is what we see in the logs for an unsuccessful authentication: /var/log/messages: Mar 30 10:26:43 demo2 httpd: pam_krb5: authenticate error: Decrypt integrity check failed (-1765328353) Mar 30 10:26:43 demo2 httpd: pam_krb5: authentication fails for `kitty' /var/log/httpd/ssl_error_log [Tue Mar 30 10:26:43 2004] [error] [client 142.107.22.41] PAM: user 'kitty' - not authenticated: Authentication failure, referer: https://demo2.iis.sinica.edu.tw/ NOTES: >From watching a packet analyzer, it appears as if two Kerb 5 requests are issued for every page request in the protected directory of the server. -- =================================== Van Emery (Mei Feng) Academia Sinica IIS Room 402 Tel: 2788-3799 x1457 emeryvl@xxxxxxxxxxxxxxxxx =================================== _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
