Adams, Ann (A.M.) wrote:
Ok,

I have to ask, does SUN have a kerberized hpptd?

No, the person who posed the question was trying to configure apache to use PAM to perform the authentication via Kerberos. This is NOT the same as having a truly "Kerberized" http daemon.

Having "proper" Kerberos (or GSSAPI) authentication to the web server requires
a browser which also supports the authentication protocol and currently, as far as I
know, only Microsofts IE supports native GSSAPI authentication and it only works
when talking to an IIS web server.

-Wyllys

> I thought they only had the standard network services. I have not seen a reference by either
> SUN, HP, or MIT to a kerberized httpd. Has SUN done any development on web authentication via Kerberos?

I was looking around some of the university sites to see if there was a kerberized web authentication modules available for testing. My impression was that they had been written but nothing publicly available to test.


Dartmouth had publicly available a Kerberos IV module, but I didn't see anything for Kerberos V. CUSSP is a perl5 module from Cornell University that is referenced below. Both of these are well documented and clear, but it doesn't appear to continue into the Kerberos V environment.

excerpt from Dartmouth web site below:....
Kerberos authentication can be invoked from a CGI script.
There are Perl interfaces to do this. The example below shows a CGI that authenticates the user,
then displays the name(s) and information from the
ticket(s) that were generated.


                In Perl, you can use the GetK4Ticket function to validate a user.
                This function is defined in the CUSSP library.

GetK4Ticket is defined as:
($rc, $em, %tckt) = CUSSP::GetK4Ticket("WWW-agent",
"WWW", $cgi->remote_addr(), undef, $ENV{'REMOTE_PORT'});



If anything I have stated in incorrect, I request correction. If there are other resources I should be looking at please indicate.



regards, Ann Adams Computer Architect/SIE Ford Motor Company



-----Original Message-----
From: Wyllys Ingersoll [mailto:[EMAIL PROTECTED]
Sent: Monday, March 24, 2003 7:50 PM
To: Ganesh
Cc: [EMAIL PROTECTED]
Subject: Re: Configuring kerberos for Solaris


Ganesh wrote:


I'm trying to configure kerberos, to authenticate the
users through Web. I've successfully compiled
mod_auth_pam.c on Solaris 8 and am able to authenticate
the users, if I use pam_unix.so.1 in my pam.conf file.
But if I try to authenticate by using pam_krb5.so.1
it fails.

I'm using the pam_krb5.so.1 which is shipped along with solaris2.8.


If you are using the pam_krb5 that shipped with Solaris 2.8 then you
also need to be using the SEAM package for Solaris 8 (free download
from www.sun.com).   If you go that route, I recommend making sure
you have all the latest pam_krb5 and SEAM related patches.

If you are determined to stick with the MIT Kerberos libraries and not
use the Solaris Kerberos stuff, then you should probably get a different
pam_krb5 module (http://www.fcusack.com is one such module).

-Wyllys


A snap shot of my pam.conf file :

# The commented line works fine
#
httpd   auth sufficient   /usr/lib/security/$ISA/pam_krb5.so.1
#httpd   auth required   /usr/lib/security/$ISA/pam_unix.so.1

httpd   account  sufficient     /usr/lib/security/$ISA/pam_krb5.so.1
#httpd   account required       /usr/lib/security/$ISA/pam_unix.so.1

My /etc/krb5/krb5.conf file ..

[libdefaults]
  default_realm = INDIA.HP.COM
  default_tkt_enctypes = DES-CBC-CRC
  default_tgs_enctypes = DES-CBC-CRC
  ccache_type = 2

[realms]
  INDIA.HP.COM = {
     kdc = nt40239.india.hp.com:88
     admin_server = nt40239.india.hp.com:749
     default_domain = india.hp.com
}

[domain_realm]
.india.hp.com = INDIA.HP.COM
india.hp.com = INDIA.HP.COM

[logging]
       kdc = FILE:/var/log/krb5kdc.log
       admin_server = FILE:/var/log/kadmin.log
       default = FILE:/var/log/krb5lib.log

I've also updated the /etc/services file to look into my
KDC server.

My kDC server(Linux server) is up and running as I'm able to authenticate the users, with the same KDC if the client is HP-Ux m/c.

Is that I've to make any changes in my krb5.conf file or
have to rebuild the pam_krb5.so file ? Please give your
inputs!

TIA,
Ganesh.
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to