Continuing the previous post today's entry is dedicated to the integration of the mod_auth_gss module into an Apache 2.4 web server in a Solaris 10 box. If you remember the MIT kerberos implementation that is bundled in Solaris 10 is version 1.4.0 but modified, and, besides, the exposed API is restricted. For that reason, the typical Apache module (mod_auth_kerb) for handling kerberos authentication is not usable in a straight way. Reading an entry about this subject inside the Oracle blogs only two options are available: compiling your own kerberos implementation (then configuring mod_auth_kerb) or compiling a special mod_auth_gss module developed by Sun to interact with the Solaris implementation. The previous entry was dedicated to the former option and this one continues implementing the latter.
The mod_auth_gss is a an authentication module for Apache based on SPNEGO and GSSAPI. While the mod_auth_kerb uses kerberos directly, this module instead works in an upper layer. The GSSAPI is a security interface that supports different underlying mechanisms but, actually, the dominant GSSAPI mechanism implementation in use is Kerberos. In my humble opinion GSSAPI is the reason that makes Solaris hide the Kerberos API. At that time Solaris engineers preferred GSSAPI (which is standardized) over Kerberos (its API has never been standardized and various existing implementations use different APIs). The mod_auth_gss module is bundle in the Apache 2.2 that Solaris 10 provides by default (it is placed in the /usr/apache2/libexec directory).
After knowing this information the new library seems to be a much proper solution inside a Solaris / Apache box. So continuing with the installation which was setup in the previous entry this module is going to be added.
The module can be retrieved from its web page.
wget https://kenai.com/projects/mod-auth-gss/downloads/download/mod_auth_gss.c
If you try to compile it following its instructions, it fails (actually it compiles with warnings but then it crashes the apache process). But the reason is simple, it is prepared for Apache 2.2 and not 2.4 (remember that the new Apache 2.4.9 is being used through this series). It seems that now the log_rerror function needs more parameters (If you check the patch provided in the previous post by PLD Linux distribution for mod_auth_kerb, there were few lines changed for this same reason). So I repeated the changes to obtain a little patch (mod_auth_gss_apache24.patch).
gpatch -p1 mod_auth_gss.c < mod_auth_gss_apache24.patch
Now you can safely compile the module and install it inside the modules directory.
/export/home/ricky/httpd/bin/apxs -S CC=gcc -l gss -c mod_auth_gss.c
cp .libs/mod_auth_gss.so /export/home/ricky/httpd/modules/
Finally I configured the module just reusing some items which were created in the previous entry. First the same krb5.conf file is used, but now it should be placed in the default Solaris location.
cp /export/home/ricky/httpd/etc/krb5.conf /etc/krb5/krb5.conf
The httpd.conf is modified to add the new module too.
LoadModule auth_gss_module modules/mod_auth_gss.so
And the secured location was modified with the new module parameters (the same keytab of the previous entry was reused) instead of previous mod_auth_kerb module.
<Location /secured>
AuthType GSSAPI
AuthGSSServiceName HTTP
AuthGSSKeytabFile /export/home/ricky/httpd/conf/httpd.keytab
AuthGSSForceCase upper
AuthGSSDebug Off
require valid-user
</Location>
And it also works well. If you try to enter in the login.pl CGI the user logged in the Windows 8.1 box is shown. Below it is a video showing what I have just commented. Remember that AJP protocol (the protocol to join Apache with some JavaEE servers like Glassfish or Tomcat) can send this user to the underlaying JavaEE server in order to propagate the logged user to the application (see the tomcatAuthentication property). Therefore authentication can be delegated from the JavaEE layer to the Web layer. Obviously a lot of features, like managing groups, are lost but for some cases it could be a much simpler solution.
As a summary this entry implements exactly the same than in the previous one (the integration of kerberos into an Apache Web Server 2.4 in a Solaris 10 box) but using the specific Solaris mod_auth_gss module. This module manages the standard GSSAPI instead of a specific kerberos API and it seems to be a better solution in a Solaris box (think that this module is installed by default in the Apache 2.2 that Solaris bundles). I have just realized that, although kerberos is quite unknown to me, a lot of entries in this blog talk about it.
Kerberized regards!
Comments