Kerberos v4 NSAPI module

Author: Dug Song <dugsong@UMICH.EDU>
Win32 port: Nathan Binkert <binkertn@UMICH.EDU> DO NOT USE! THIS SOFTWARE IS NO LONGER BEING SUPPORTED!

Overview

The Umich Kerberos v4 NSAPI module for the Netscape Enterprise / FastTrack server is basically a straight port of the Kerberos v4 module for Apache/Stronghold, meant to work with our Kerberos v4 Netscape plug-in. See the Apache module page for more information.

Installation

You will need:

: krb4-nsapi-mod.tgz distribution
Netscape Enterprise or FastTrack server
Kerberos v4 distribution (MIT, Cygnus, KTH, etc.)
AFS distribution (optional)

Untar the krb4-nsapi-mod.tgz distribution and edit the Makefile to reflect the location of your Kerberos (and optionally, AFS) installations. If you aren't building with AFS, comment out the AFS definitions.

Now run make, and move the resulting krb4_auth.so NSAPI module and acltest program into your Netscape server binary directory (usually /usr/ns-home/bin/https).

Configuration

Time to edit your server configuration files (usually in /usr/ns-home/https-hostname/config). Add the following line to your obj.conf file, after the other Init definitions, to direct the server to load the Kerberos v4 functions:

: Init fn="load-modules" shlib="/path/krb4_auth.so" \ funcs="krb4_auth_check,krb4_path_check,krb4_service_reply"

Add the following protected object definitions to the end of the obj.conf. Be sure to customize the parameters - the arguments to the Kerberos v4 server application functions are equivalent to the Apache module's KerberosV4 directives:

<Object name="krb4cgi">
ObjectType fn="force-type" type="magnus-internal/cgi"
AuthTrans fn="krb4_auth_check" srvtab="/usr/local/www/srvtab.www" principal="www.lukyduk@UMICH.EDU" requires_ssl="on"
PathCheck fn="krb4_path_check" enforce_hmac="off"
Service fn="krb4_service_reply" method="(GET|HEAD|POST)" principal="www.lukyduk@UMICH.EDU" allow_client_caching="off" error_document="/usr/ns-home/docs/denial.html"
Service fn="send-cgi"
</Object>

<Object name="krb4">
AuthTrans fn="krb4_auth_check" srvtab="/usr/local/www/srvtab.www" principal="www.lukyduk@UMICH.EDU" requires_ssl="on"
PathCheck fn="krb4_path_check" enforce_hmac="off"
Service fn="krb4_service_reply" method="(GET|HEAD|POST)" principal="www.lukyduk@UMICH.EDU" allow_client_caching="off" error_document="/usr/ns-home/docs/denial.html"
Service fn="imagemap" method="(GET|HEAD)" type="magnus-internal/imagemap"
Service fn="index-common" method="(GET|HEAD)" type="magnus-internal/directory"
Service fn="send-cgi" type="magnus-internal/cgi"
Service fn="send-file" method="(GET|HEAD)" type="*~magnus-internal/*"
AddLog fn="flex-log" name="access"
</Object>

For each directory you wish to protect, add a line within the default object definition that looks like:

NameTrans fn="pfx2dir" from="/dir-to-protect" dir="/usr/ns-home/docs/dir-to-protect" name="krb4-obj-type"

where dir-to-protect is the directory you wish to protect, and krb4-obj-type is either krb4 or krb4cgi, for regular document trees or CGI directories respectively.

See the Netscape Technical Support site for more info on other server configuration options.

Operation

The name of the Kerberos-authenticated client principal will appear in your access log messages, and will be set as auth-user in rq->vars for all other NSAPI modules. Because of bogus 401 status handling by some lame commercial browsers, failed authentication attempts are noted in the access_log with status 400 instead of 401.

In CGI programs, the name of the Kerberos-authenticated client principal will be set as the environment variable REMOTE_USER, "KerberosV4" will be set as AUTH_TYPE, and the authentication response itself (base-64 encoded service ticket and HMAC-MD5 on the request-URL) will be set as HTTP_COOKIE. Refer to Dave Snyder's KLP C libraries or Jeff Horwitz's Kerberos v4 Perl library for routines to make use of the auth response directly from your CGI programs.

dugsong / dugsong@umich.edu / mtime: