Kerberos v4 Apache module

Author: Dug Song <dugsong@UMICH.EDU>
DO NOT USE! THIS SOFTWARE IS NO LONGER BEING SUPPORTED!

Overview

The Umich Kerberos v4 Apache server module provides support for Kerberos v4 authentication and optional AFS PTS or filesystem ACL authorization, with or without SSL. Along with the Umich Kerberos v4 Netscape plug-in and Kerberos v4 patch for lynx, this module provides a password-free solution to the problem of Kerberized web authentication. A Kerberos v4 Netscape NSAPI server module is also available.

Protocol

The protocol implemented is an extension of the Kerberos v4 auth support originally in NCSA Mosaic/lynx, but with the addition of an HMAC-MD5 on the requested URL. Without this, sending the ticket alone and returning a plaintext page over an unencrypted link is as bad as sending a plaintext password (although the ticket is time-expired). To provide additional security, the entire transaction is optionally encrypted via SSL. Only the client is Kerberos-authenticated to the server; the server is authenticated to the client via the standard SSL server certificate verification mechanism (which doesn't leverage off Kerberos, but is ostensibly robust enough for financial transactions via the web). Caveat user.

Client -> Server: unauthenticated request
Server -> Client: auth challenge (specify Kerberos v4)
Client -> Server: auth response (request+ticket+HMAC-MD5)
Server -> Client: protected page

The full details can be had here. We can only hope for widespread adoption of Kerberized TLS in the future, to obviate the need for such kludging around as this (I've added Kerberos v4 support to the Netscape SSLref implementation; expect to see a generic server proxy and local client proxy soon!).

Installation

You will need:
mod_auth_krb4.c source file
Apache (or Stronghold, or Apache-SSL) distribution (tested against versions 1.2.1 and 2.0)
Kerberos v4 distribution (MIT, Cygnus, KTH, etc.)
AFS distribution (optional)

Step 1

For Apache: Unpack the Apache distribution and copy this module (mod_auth_krb4.c) into the src directory. Apply this patch to the Configuration file. If building for Apache-SSL, get rid of -ldes from KRB4LIB in the patched Configuration file, and make sure the SSL_LIBS come after the AFS and Kerberos libs in LIBS in the Makefile.tmpl after applying the SSLpatch - it should be in the make target for httpsd.

For Stronghold: Unpack the Stronghold distribution for your platform (e.g. stronghold-2.0-platform.tar.gz) and copy this module (mod_auth_krb4.c) into the apache directory. Now create the following symlinks:

cd stronghold-2.0/apache
ln -s ../serv-root/dist/Configuration .
ln -s ../binary/platform/obj/libmodssl.a .
ln -s ../binary/platform/obj/libfcgi.a .
cd ..
ln -s binary/platform/ssl ssl

And apply this patch to the Configuration file.

Step 2

Substitute the correct paths to your Kerberos v4 and AFS installations in the patched Configuration file. Add -lc /usr/ucblib/libucb.a to the end of AFSLIB if you're building on Solaris.

Now run the Configure script, which should produce a sane Makefile. Run make. Everything should have built correctly. If not, fix it. For Apache, you can now do a make install. For Stronghold,
cp httpsd ../binary/platform/httpsd and run INSTALL.sh

Step 3

Make sure you have a valid srvtab for the principal you specify (see below), and that the srvtab file is readable by the httpd server (usually runs as nobody). You should create a new service principal and srvtab just for your server, ex. www.lukyduk@UMICH.EDU in /usr/local/www/srvtab.www. If you see lots of krb_rd_req() messages in your error_log, check for bad permissions on the srvtab file or a bogus srvtab entry.

Step 4

Add the following lines to your httpd.conf, substituting the real name and location of your server's Kerberos principal and srvtab. Make sure the srvtab is readable by the httpd process (usually runs as nobody). 

# Kerberos v4 authentication support
KerberosV4Principal www.lukyduk@UMICH.EDU
KerberosV4Srvtab /usr/local/www/srvtab.www

BrowserMatch Mozilla use_kerberos_plugin
BrowserMatch Win windows_netscape_bogosity
AddType application/x-kerberos4-mime krb4

Configuration

To enforce Kerberos v4 authentication (and optionally, AFS PTS / filesystem ACL authorization) for access to a URL, you need to have the appropriate AuthType and require lines in either your server config files or in a .htaccess file in the directory being protected (for .htaccess files to work, you need at least AllowOverride AuthConfig in your server config files). For example, to protect all URLs in /www/private, have 

in /www/private/.htaccess:

AuthType KerberosV4
require user dugsong
require group itd.gpcc

  or in /www/conf/httpd.conf:

  <Directory /www/private>
  AuthType KerberosV4
  require user dugsong
  require group itd.gpcc
  </Directory>
All the standard authorization directives still apply (e.g. allow, deny, order, <Limit>, etc., although the following require directives change meaning:

require valid-user specifies any user in the local realm.

require user [users...] specifies a list of Kerberos principal names.

and if compiled with AFS support,

require group [groups...] specifies a list of AFS PTS groups.

require afs-acl-check specifies that authorization for the authenticated user will be based on the existing AFS filesystem ACLs for the directory of the requested document. The HTTP server needs to have rl (read, lookup) permissions on the directory (your server can have an AFS token via reauth - see /afs/transarc.com/public/afs-contrib/tools/reauth for more info). If the directory isn't in AFS and this is enabled, the user will always be allowed.

In addition, the following Kerberos authentication directives may appear anywhere in server configuration files or .htaccess (except for KerberosV4Principal and KerberosV4Srvtab, which can only be in the server config files). They are allowed within <Directory> or <VirtualHost] directives, so that document trees on the same server may be protected under different Kerberos realms or be restricted under different security policies:

KerberosV4Principal [service.host@REALM] specifies the Kerberos v4 service principal the client should present tickets for. Required.

KerberosV4Srvtab [/path/to/srvtab] specifies the Kerberos v4 srvtab file to use. This file should be readable by the httpd uid. Required.

KerberosV4ErrorDocument [/path/to/page.html] specifies the document that should be returned to clients upon authentication failure. This document should NOT have the terminating </BODY> and </HTML> end tags - this is to allow for the addition of an error message by the server. If not specified, server uses compiled-in default. Optional.

KerberosV4EnforceHMAC [on|off] specifies that the server will require a valid HMAC on the requested URL; this is STRONGLY recommended if building without SSL support. Enforcing a correct HMAC will require protected inlined images in a restricted page to be in the same directory as that page, however. Default is off. Optional.

KerberosV4PluginVersion [version number] specifies the minimum client plug-in version to accept requests from; otherwise, prompt the user to upgrade to the latest plug-in version. Default is off. Optional.

KerberosV4RequiresSSL [on|off] (only for Stronghold/Apache-SSL) specifies that the server will only accept Kerberos v4 authentication for protected pages over SSL; unencrypted connections will be refused authorization. Recommended setting is on. Default is off. Optional.

AllowClientCaching [on|off] specifies whether or not the server will send back "Pragma: no-cache" and "Cache-Control: no-cache" directives to prevent the client from caching protected documents. Default is off, but it may be useful to turn on within image directories, etc. Optional.

Operation

The name of the Kerberos-authenticated client principal will appear in your access_log messages, and will be set as r->connection->user for all other Apache modules. Because of bogus 401 status handling by some lame commercial browsers, failed authentication attempts are noted in the access_log with status 400 instead of 401.

In CGI programs, the name of the Kerberos-authenticated client principal will be set as the environment variable REMOTE_USER, "KerberosV4" will be set as AUTH_TYPE, and the authentication response itself (base-64 encoded service ticket and HMAC-MD5 on the request-URL) will be set as HTTP_COOKIE. Refer to Dave Snyder's KLP C libraries or Jeff Horwitz's Kerberos v4 Perl library for routines to make use of the auth response directly from your CGI programs.

References

[1] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., and Berners-Lee, T. "Hypertext Transfer Protocol -- HTTP 1.1", RFC 2068, DEC, MIT/LCS, January 1997.

[2] Franks, J., Hallam-Baker, P., Hostetler, J., Leach, P., Luotonen, A., Sink, E., Stewart, L. "An Extension to HTTP : Digest Access Authentication", RFC 2069, Northwestern U., Spyglass, Microsoft, Netscape, Open Market, January 1997

[3] Freed, N., Borenstein, N. "Multipurpose Internet Mail Extensions", RFC 2045, Innosoft, First Virtual, November 1996.

[4] Kristol, D., Montulli, L. "HTTP State Management Mechanism", RFC 2109, Bell Laboratories, Lucent Technologies, Netscape, February 1997.

[5] Krawczyk, H., Bellare, M., Canetti, R. "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, IBM, UCSD, February 1997.

[6] Netscape Communications' persistent client state HTTP cookies spec.

Related work

Kerberos v4 NSAPI Module - the matching Netscape Enterprise server module port.

Kerberos v4 Web Authentication Plug-in - our corresponding client plug-in for Netscape.

Kerberos v4 patch for lynx - my patch to the lynx client to work with this server.

CUKerb - the modifications done at Columbia University to add Kerberos v4 support to NCSA httpd, Mosaic, and lynx.

Project Mandarin - OOB Kerberos web authentication from the Mandarin Consortium (MIT, Cornell, etc.).

Project Minotaur - a very similar Netscape plug-in / Netscape server Kerberos v4 project at CMU.

KLP (Kerberos Local Proxy) - a DCEWeb-based Kerberos v4 local proxy implementation done here by Bob Riddle.

dugsong / dugsong@umich.edu / mtime: