Ok,
I have to ask, does SUN have a kerberized hpptd?
No, the person who posed the question was trying to configure apache to use PAM to perform the authentication via Kerberos. This is NOT the same as having a truly "Kerberized" http daemon.
Having "proper" Kerberos (or GSSAPI) authentication to the web server requires a browser which also supports the authentication protocol and currently, as far as I know, only Microsofts IE supports native GSSAPI authentication and it only works when talking to an IIS web server.
-Wyllys
> I thought they only had the standard network services. I have not seen a reference by either
> SUN, HP, or MIT to a kerberized httpd. Has SUN done any development on web authentication via Kerberos?
I was looking around some of the university sites to see if there was a kerberized web authentication modules available for testing. My impression was that they had been written but nothing publicly available to test.
Dartmouth had publicly available a Kerberos IV module, but I didn't see anything for Kerberos V. CUSSP is a perl5 module from Cornell University that is referenced below. Both of these are well documented and clear, but it doesn't appear to continue into the Kerberos V environment.
excerpt from Dartmouth web site below:....
Kerberos authentication can be invoked from a CGI script.
There are Perl interfaces to do this. The example below shows a CGI that authenticates the user,
then displays the name(s) and information from the
ticket(s) that were generated.
In Perl, you can use the GetK4Ticket function to validate a user. This function is defined in the CUSSP library.
GetK4Ticket is defined as:
($rc, $em, %tckt) = CUSSP::GetK4Ticket("WWW-agent",
"WWW", $cgi->remote_addr(), undef, $ENV{'REMOTE_PORT'});
If anything I have stated in incorrect, I request correction. If there are other resources I should be looking at please indicate.
regards, Ann Adams Computer Architect/SIE Ford Motor Company
-----Original Message----- From: Wyllys Ingersoll [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 7:50 PM To: Ganesh Cc: [EMAIL PROTECTED] Subject: Re: Configuring kerberos for Solaris
Ganesh wrote:
I'm trying to configure kerberos, to authenticate the users through Web. I've successfully compiled mod_auth_pam.c on Solaris 8 and am able to authenticate the users, if I use pam_unix.so.1 in my pam.conf file. But if I try to authenticate by using pam_krb5.so.1 it fails.
I'm using the pam_krb5.so.1 which is shipped along with solaris2.8.
If you are using the pam_krb5 that shipped with Solaris 2.8 then you also need to be using the SEAM package for Solaris 8 (free download from www.sun.com). If you go that route, I recommend making sure you have all the latest pam_krb5 and SEAM related patches.
If you are determined to stick with the MIT Kerberos libraries and not use the Solaris Kerberos stuff, then you should probably get a different pam_krb5 module (http://www.fcusack.com is one such module).
-Wyllys
A snap shot of my pam.conf file :
# The commented line works fine # httpd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 #httpd auth required /usr/lib/security/$ISA/pam_unix.so.1
httpd account sufficient /usr/lib/security/$ISA/pam_krb5.so.1 #httpd account required /usr/lib/security/$ISA/pam_unix.so.1
My /etc/krb5/krb5.conf file ..
[libdefaults] default_realm = INDIA.HP.COM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2
[realms] INDIA.HP.COM = { kdc = nt40239.india.hp.com:88 admin_server = nt40239.india.hp.com:749 default_domain = india.hp.com }
[domain_realm] .india.hp.com = INDIA.HP.COM india.hp.com = INDIA.HP.COM
[logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log
I've also updated the /etc/services file to look into my KDC server.
My kDC server(Linux server) is up and running as I'm able to authenticate the users, with the same KDC if the client is HP-Ux m/c.
Is that I've to make any changes in my krb5.conf file or have to rebuild the pam_krb5.so file ? Please give your inputs!
TIA, Ganesh. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
