![[APACHE DOCUMENTATION]](../images/sub.gif)
This module provides for user authentication using GSSAPI Authentication.
Status: Extension
Source File: mod_auth_gss.c
Module Identifier:
auth_gss_module
This module implements GSSAPI authentication using the "WWW-Authenticate: Negotiate" protocol. This typically requires the client and the server systems to have support for GSSAPI and a properly configured security mechanism (usually Kerberos V5) to be used by GSSAPI.
Before using GSSAPI authentication with Apache, the system must already have been configured to use Kerberos V5 authentication. All of the major Kerberos V5 implementation (MIT KRB5, Heimdal, Sun, IBM, HP, Microsoft) currently support Kerberos V5 GSSAPI mechanisms. Configuring Kerberos is beyond the scope of this document. Adding GSSAPI authentication support to the web extends Single sign on capabilities to the intranet and reduces the risks involved in having users constantly entering username/password combinations when accessing websites.
The default service principal that mod_auth_gss will try to use is "HTTP/f.q.d.n". The key for this principal must be stored in a keytab file that is readable by the Apache server, but it should be protected from access by anyone else, and should definitely not be stored in an area that can be browsed by clients.
Example: the Apache server is on host "www.foo.com".
Create a principal called "HTTP/www.foo.com".
Store the key for this principal in a protected keytab
file. Using MIT Kerberos V5:
$ kadmin
$ kadmin> ktadd -k /var/apache/http.keytab HTTP/www.foo.com
$ kadmin> quit
Once the keys are created and stored, using GSSAPI
authentication is very simple. Set up the authentication
type for the directories being protected to be "GSSAPI".
If the keytab or service name chosen is not the defaults
("HTTP" and "/var/apache/http.keytab", respectively), then
you may use the above mentioned directives to override
the default values. Example:
<Directory /var/apache/htdocs/krb5> AuthType GSSAPI ServiceName HTTP KeytabFile /var/apache/http.keytab GssDebug 0 Require valid-user AllowOverride All </Directory>
GSSAPI authentication provides a more secure authentication system, but only works with supporting browsers. As of this writing (April 2004), the only major browsers which support digest authentication are Mozilla 1.7 (and later), and MS Internet Explorer 5.0.
It is recommended that this authentication method be combined with TLS security (mod_ssl, for example) to further secure the authentication data being exchanged.
The AuthGSSServiceName directive sets the name of Kerberos service principal that the server uses to authenticate the client requests. The name given is appended with the fully qualified host name to make the complete service principal name. Ex: HTTP/www.fooc.om
The AuthGSSKeytabFile directive sets the filename of the file where the Apache server's Kerberos credentials are stored.
The AuthGSSDebug directive toggles the debug logging facility used by the GSSAPI authentication module. 0 disables debug logging, 1 enables it.
