components/web/apache24/mod_auth_gss/mod_auth_gss.html

   1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   2     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   3
   4 <html xmlns="http://www.w3.org/1999/xhtml">
   5   <head>
   6     <meta name="generator" content="HTML Tidy, see www.w3.org" />
   7
   8     <title>Apache module mod_auth_gss</title>
   9   </head>
  10   <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
  11
  12   <body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
  13   vlink="#000080" alink="#FF0000">
  14         <div align="CENTER">
  15       <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
  16
  17       <h3>Apache HTTP Server Version 1.3</h3>
  18     </div>
  19
  20     <h1 align="CENTER">Module mod_auth_gss</h1>
  21     <p>This module provides for user authentication using GSSAPI Authentication.</p>
  22
  23     <p><a href="module-dict.html#Status"
  24     rel="Help"><strong>Status:</strong></a> Extension<br />
  25      <a href="module-dict.html#SourceFile"
  26     rel="Help"><strong>Source File:</strong></a> mod_auth_gss.c<br />
  27      <a href="module-dict.html#ModuleIdentifier"
  28     rel="Help"><strong>Module Identifier:</strong></a>
  29     auth_gss_module<br />
  30
  31     <h2>Summary</h2>
  32
  33     <p>This module implements GSSAPI authentication using the
  34     "WWW-Authenticate: Negotiate" protocol.   This typically
  35     requires the client and the server systems to have support for
  36     GSSAPI and a properly configured security mechanism (usually
  37     Kerberos V5) to be used by GSSAPI.
  38
  39     <h2>Directives</h2>
  40
  41     <ul>
  42       <li><a href="#authgssservicename">AuthGSSServiceName</a></li>
  43       <li><a href="#authgsskeytabfile">AuthGSSKeytabFile</a></li>
  44       <li><a href="#aughgssdebug">AuthGSSDebug</a></li>
  45     </ul>
  46
  47     <h2>Using GSSAPI Authentication</h2>
  48
  49     <p>Before using GSSAPI authentication with Apache, the
  50     system must already have been configured to use Kerberos V5
  51     authentication.   All of the major Kerberos V5
  52     implementation (MIT KRB5, Heimdal, Sun, IBM, HP, Microsoft)
  53     currently support Kerberos V5 GSSAPI mechanisms.
  54     Configuring Kerberos is beyond the scope of this document.
  55     Adding GSSAPI authentication support to the web extends
  56     Single sign on capabilities to the intranet and reduces
  57     the risks involved in having users constantly entering
  58     username/password combinations when accessing websites.
  59     <p>
  60     <h3>Configure a Service Principal</h3>
  61     <p>The default service principal that mod_auth_gss will
  62     try to use is "HTTP/f.q.d.n".  The key for this principal
  63     must be stored in a keytab file that is readable by the
  64     Apache server, but it should be protected from access
  65     by anyone else, and should <b>definitely not</b> be
  66     stored in an area that can be browsed by clients.
  67     <p>
  68     Example:  the Apache server is on host "www.foo.com".
  69     Create a principal called "HTTP/www.foo.com".
  70     Store the key for this principal in a protected keytab
  71     file.   Using MIT Kerberos V5:
  72     <br>
  73     <pre>
  74     $ kadmin
  75     $ kadmin> ktadd -k /var/apache/http.keytab  HTTP/www.foo.com
  76     $ kadmin> quit
  77     </pre>
  78
  79     <p>Once the keys are created and stored, using GSSAPI
  80     authentication is very simple.  Set up the authentication
  81     type for the directories being protected to be "GSSAPI".
  82     If the keytab or service name chosen is not the defaults
  83     ("HTTP" and "/var/apache/http.keytab", respectively), then
  84     you may use the above mentioned directives to override
  85     the default values. Example:
  86 <br>
  87 <pre>
  88 &lt;Directory /var/apache/htdocs/krb5&gt;
  89         AuthType    GSSAPI
  90         ServiceName HTTP
  91         KeytabFile  /var/apache/http.keytab
  92         GssDebug    0
  93         Require valid-user
  94         AllowOverride All
  95 &lt;/Directory&gt;
  96 </pre>
  97
  98     <p>GSSAPI authentication provides a more secure authentication
  99     system, but only works with supporting browsers. As of this writing
 100     (April 2004), the only major browsers which support digest
 101     authentication are <a href="http://www.mozilla.org">Mozilla 1.7
 102     (and later)</a>, and <a href="http://www.microsoft.com/windows/ie/">MS Internet
 103     Explorer 5.0</a>.
 104
 105     <p>It is recommended that this authentication method be combined
 106     with TLS security (mod_ssl, for example) to further secure the
 107     authentication data being exchanged.
 108
 109     <h2><a id="authgssservicename"
 110     name="authgssservicename">AuthGSSServiceName</a> directive</h2>
 111     <a href="directive-dict.html#Syntax"
 112     rel="Help"><strong>Syntax:</strong></a> AuthGSSServiceName
 113     <em>name</em><br />
 114      <a href="directive-dict.html#Context"
 115     rel="Help"><strong>Context:</strong></a> directory,
 116     .htaccess<br />
 117      <a href="directive-dict.html#Override"
 118     rel="Help"><strong>Override:</strong></a> FileInfo, Indexes, Limit, Options<br />
 119      <a href="directive-dict.html#Status"
 120     rel="Help"><strong>Status:</strong></a> Extension<br />
 121      <a href="directive-dict.html#Module"
 122     rel="Help"><strong>Module:</strong></a> mod_auth_gss
 123
 124     <p>The AuthGSSServiceName directive sets the name of Kerberos service
 125     principal that the server uses to authenticate the client requests.
 126     The name given is appended with the fully qualified host name to
 127     make the complete service principal name. Ex:  <b>HTTP/www.fooc.om</b>
 128     </p>
 129
 130     <h2><a id="authgsskeytabfile"
 131     name="authgsskeytabfile">AuthGSSKeytabFile</a> directive</h2>
 132     <a href="directive-dict.html#Syntax"
 133     rel="Help"><strong>Syntax:</strong></a> AuthGSSKeytabFile
 134     <em>filename</em><br />
 135      <a href="directive-dict.html#Context"
 136     rel="Help"><strong>Context:</strong></a> directory,
 137     .htaccess<br />
 138      <a href="directive-dict.html#Override"
 139     rel="Help"><strong>Override:</strong></a> FileInfo, Indexes, Limit, Options<br />
 140      <a href="directive-dict.html#Status"
 141     rel="Help"><strong>Status:</strong></a> Extension<br />
 142      <a href="directive-dict.html#Module"
 143     rel="Help"><strong>Module:</strong></a> mod_auth_gss
 144
 145     <p>The AuthGSSKeytabFile directive sets the filename of the
 146     file where the Apache server's Kerberos credentials are stored.
 147
 148     <h2><a id="authgssdebug"
 149     name="authgsskeytabfile">AuthGSSDebug</a> directive</h2>
 150     <a href="directive-dict.html#Syntax"
 151     rel="Help"><strong>Syntax:</strong></a> AuthGSSDebug
 152     <em>0 | 1</em><br />
 153      <a href="directive-dict.html#Context"
 154     rel="Help"><strong>Context:</strong></a> directory,
 155     .htaccess<br />
 156      <a href="directive-dict.html#Override"
 157     rel="Help"><strong>Override:</strong></a> FileInfo, Indexes, Limit, Options<br />
 158      <a href="directive-dict.html#Status"
 159     rel="Help"><strong>Status:</strong></a> Extension<br />
 160      <a href="directive-dict.html#Module"
 161     rel="Help"><strong>Module:</strong></a> mod_auth_gss
 162
 163     <p>The AuthGSSDebug directive toggles the debug logging
 164     facility used by the GSSAPI authentication module.  0 disables
 165     debug logging, 1 enables it.
 166
 167         <hr />
 168     <h3 align="CENTER">Apache HTTP Server Version 1.3</h3>
 169     <a href="./"><img src="../images/index.gif" alt="Index" /></a>
 170     <a href="../"><img src="../images/home.gif" alt="Home" /></a>
 171
 172   </body>
 173 </html>
 174