278N/A<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

278N/A "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

278N/A

278N/A<html xmlns="http://www.w3.org/1999/xhtml">

278N/A <head>

278N/A <meta name="generator" content="HTML Tidy, see www.w3.org" />

278N/A

278N/A <title>Apache module mod_auth_gss</title>

278N/A </head>

278N/A <!-- Background white, links blue (unvisited), navy (visited), red (active) -->

278N/A

278N/A <body bgcolor="#FFFFFF" text="#000000" link="#0000FF"

278N/A vlink="#000080" alink="#FF0000">

278N/A <div align="CENTER">

278N/A <img src="/images/sub.gif" alt="[APACHE DOCUMENTATION]" />

278N/A

278N/A <h3>Apache HTTP Server Version 1.3</h3>

278N/A </div>

278N/A

278N/A <h1 align="CENTER">Module mod_auth_gss</h1>

278N/A <p>This module provides for user authentication using GSSAPI Authentication.</p>

278N/A

278N/A <p><a href="module-dict.html#Status"

278N/A rel="Help"><strong>Status:</strong></a> Extension<br />

278N/A <a href="module-dict.html#SourceFile"

278N/A rel="Help"><strong>Source File:</strong></a> mod_auth_gss.c<br />

278N/A <a href="module-dict.html#ModuleIdentifier"

278N/A rel="Help"><strong>Module Identifier:</strong></a>

278N/A auth_gss_module<br />

278N/A

278N/A <h2>Summary</h2>

278N/A

278N/A <p>This module implements GSSAPI authentication using the

278N/A "WWW-Authenticate: Negotiate" protocol. This typically

278N/A requires the client and the server systems to have support for

278N/A GSSAPI and a properly configured security mechanism (usually

278N/A Kerberos V5) to be used by GSSAPI.

278N/A

278N/A <h2>Directives</h2>

278N/A

278N/A <ul>

278N/A <li><a href="#authgssservicename">AuthGSSServiceName</a></li>

278N/A <li><a href="#authgsskeytabfile">AuthGSSKeytabFile</a></li>

278N/A <li><a href="#aughgssdebug">AuthGSSDebug</a></li>

278N/A </ul>

278N/A

278N/A <h2>Using GSSAPI Authentication</h2>

278N/A

278N/A <p>Before using GSSAPI authentication with Apache, the

278N/A system must already have been configured to use Kerberos V5

278N/A authentication. All of the major Kerberos V5

278N/A implementation (MIT KRB5, Heimdal, Sun, IBM, HP, Microsoft)

278N/A currently support Kerberos V5 GSSAPI mechanisms.

278N/A Configuring Kerberos is beyond the scope of this document.

278N/A Adding GSSAPI authentication support to the web extends

278N/A Single sign on capabilities to the intranet and reduces

278N/A the risks involved in having users constantly entering

278N/A username/password combinations when accessing websites.

278N/A <p>

278N/A <h3>Configure a Service Principal</h3>

278N/A <p>The default service principal that mod_auth_gss will

278N/A try to use is "HTTP/f.q.d.n". The key for this principal

278N/A must be stored in a keytab file that is readable by the

278N/A Apache server, but it should be protected from access

278N/A by anyone else, and should <b>definitely not</b> be

278N/A stored in an area that can be browsed by clients.

278N/A <p>

278N/A Example: the Apache server is on host "www.foo.com".

278N/A Create a principal called "HTTP/www.foo.com".

278N/A Store the key for this principal in a protected keytab

278N/A file. Using MIT Kerberos V5:

278N/A <br>

278N/A <pre>

278N/A $ kadmin

278N/A $ kadmin> ktadd -k /var/apache/http.keytab HTTP/www.foo.com

278N/A $ kadmin> quit

278N/A </pre>

278N/A

278N/A <p>Once the keys are created and stored, using GSSAPI

278N/A authentication is very simple. Set up the authentication

278N/A type for the directories being protected to be "GSSAPI".

278N/A If the keytab or service name chosen is not the defaults

278N/A ("HTTP" and "/var/apache/http.keytab", respectively), then

278N/A you may use the above mentioned directives to override

278N/A the default values. Example:

278N/A<br>

278N/A<pre>

278N/A&lt;Directory /var/apache/htdocs/krb5&gt;

278N/A AuthType GSSAPI

278N/A ServiceName HTTP

278N/A KeytabFile /var/apache/http.keytab

278N/A GssDebug 0

278N/A Require valid-user

278N/A AllowOverride All

278N/A&lt;/Directory&gt;

278N/A</pre>

278N/A

278N/A <p>GSSAPI authentication provides a more secure authentication

278N/A system, but only works with supporting browsers. As of this writing

278N/A (April 2004), the only major browsers which support digest

278N/A authentication are <a href="http://www.mozilla.org">Mozilla 1.7

278N/A (and later)</a>, and <a href="http://www.microsoft.com/windows/ie/">MS Internet

278N/A Explorer 5.0</a>.

278N/A

278N/A <p>It is recommended that this authentication method be combined

278N/A with TLS security (mod_ssl, for example) to further secure the

278N/A authentication data being exchanged.

278N/A

278N/A <h2><a id="authgssservicename"

278N/A name="authgssservicename">AuthGSSServiceName</a> directive</h2>

278N/A <a href="directive-dict.html#Syntax"

278N/A rel="Help"><strong>Syntax:</strong></a> AuthGSSServiceName

278N/A <em>name</em><br />

278N/A <a href="directive-dict.html#Context"

278N/A rel="Help"><strong>Context:</strong></a> directory,

278N/A .htaccess<br />

278N/A <a href="directive-dict.html#Override"

278N/A rel="Help"><strong>Override:</strong></a> FileInfo, Indexes, Limit, Options<br />

278N/A <a href="directive-dict.html#Status"

278N/A rel="Help"><strong>Status:</strong></a> Extension<br />

278N/A <a href="directive-dict.html#Module"

278N/A rel="Help"><strong>Module:</strong></a> mod_auth_gss

278N/A

278N/A <p>The AuthGSSServiceName directive sets the name of Kerberos service

278N/A principal that the server uses to authenticate the client requests.

278N/A The name given is appended with the fully qualified host name to

278N/A make the complete service principal name. Ex: <b>HTTP/www.fooc.om</b>

278N/A </p>

278N/A

278N/A <h2><a id="authgsskeytabfile"

278N/A name="authgsskeytabfile">AuthGSSKeytabFile</a> directive</h2>

278N/A <a href="directive-dict.html#Syntax"

278N/A rel="Help"><strong>Syntax:</strong></a> AuthGSSKeytabFile

278N/A <em>filename</em><br />

278N/A <a href="directive-dict.html#Context"

278N/A rel="Help"><strong>Context:</strong></a> directory,

278N/A .htaccess<br />

278N/A <a href="directive-dict.html#Override"

278N/A rel="Help"><strong>Override:</strong></a> FileInfo, Indexes, Limit, Options<br />

278N/A <a href="directive-dict.html#Status"

278N/A rel="Help"><strong>Status:</strong></a> Extension<br />

278N/A <a href="directive-dict.html#Module"

278N/A rel="Help"><strong>Module:</strong></a> mod_auth_gss

278N/A

278N/A <p>The AuthGSSKeytabFile directive sets the filename of the

278N/A file where the Apache server's Kerberos credentials are stored.

278N/A

278N/A <h2><a id="authgssdebug"

278N/A name="authgsskeytabfile">AuthGSSDebug</a> directive</h2>

278N/A <a href="directive-dict.html#Syntax"

278N/A rel="Help"><strong>Syntax:</strong></a> AuthGSSDebug

278N/A <em>0 | 1</em><br />

278N/A <a href="directive-dict.html#Context"

278N/A rel="Help"><strong>Context:</strong></a> directory,

278N/A .htaccess<br />

278N/A <a href="directive-dict.html#Override"

278N/A rel="Help"><strong>Override:</strong></a> FileInfo, Indexes, Limit, Options<br />

278N/A <a href="directive-dict.html#Status"

278N/A rel="Help"><strong>Status:</strong></a> Extension<br />

278N/A <a href="directive-dict.html#Module"

278N/A rel="Help"><strong>Module:</strong></a> mod_auth_gss

278N/A

278N/A <p>The AuthGSSDebug directive toggles the debug logging

278N/A facility used by the GSSAPI authentication module. 0 disables

278N/A debug logging, 1 enables it.

278N/A

278N/A <hr />

278N/A <h3 align="CENTER">Apache HTTP Server Version 1.3</h3>

278N/A <a href="./"><img src="/images/index.gif" alt="Index" /></a>

278N/A <a href="../"><img src="/images/home.gif" alt="Home" /></a>

278N/A

278N/A </body>

278N/A</html>

278N/A