Chapter 6. Configuration example for Kerberos authentication with mod_auth_kerb

You can configure Kerberos authentication with the JBoss Core Services Apache HTTP Server and the mod_auth_kerb module on Red Hat Enterprise Linux.

When you want to configure Kerberos authentication, you must perform the following tasks:

  1. Configure the Kerberos client.
  2. Configure mod_auth_kerb.
  3. Test the Kerberos authentication.

6.1. Prerequisites

  • You have installed the curl command-line utility with Generic Security Services (GSS)-negotiated support.
  • You have configured and run a Kerberos or LDAP server, such as ApacheDS, on the same host as JBoss Core Services.

  • If you are using an LDAP server, you have created LDAP users called krbtgt, ldap, HTTP, and a test LDAP user called hnelson.

    • To create the krbtgt user, enter the following details: 

      dn: uid=krbtgt,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: KDC Service
sn: Service
uid: krbtgt
userPassword: secret
krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
krb5KeyVersionNumber: 0

    • To create the ldap user, enter the following details: 

      dn: uid=ldap,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: LDAP
sn: Service
uid: ldap
userPassword: randall
krb5PrincipalName: ldap/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0

    • To create the HTTP user, enter the following details: 

      dn: uid=HTTP,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: HTTP
sn: Service
uid: HTTP
userPassword: secretpwd
krb5PrincipalName: HTTP/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0

    • To create the test user, hnelson, enter the following details: 

      dn: uid=hnelson,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userPassword: secret
krb5PrincipalName: hnelson@EXAMPLE.COM
krb5KeyVersionNumber: 0

6.2. Configuring the Kerberos client

When you configure Kerberos authentication, you must configure the Kerberos client by performing the following steps:

  1. Specify configuration settings in the krb5.conf file.
  2. Create a key tab in the JBCS_HOME/httpd/conf file.
  3. Assign permissions to the key tab.
  4. Ensure that localhost is included in the /etc/hosts file.

Prerequisites

Procedure

  1. To specify configuration settings in the krb5.conf file:

    1. Go to the /etc directory.
    2. Create a file named krb5.conf.

    3. Enter the following configuration details: 

      [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = EXAMPLE.COM
  default_tgs_enctypes = des-cbc-md5,des3-cbc-sha1-kd
  default_tkt_enctypes = des-cbc-md5,des3-cbc-sha1-kd
  dns_lookup_realm = false
  dns_lookup_kdc = false
  allow_weak_crypto = yes
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = yes

[realms]
  EXAMPLE.COM = {
    kdc = localhost:60088
    admin_server = localhost:60088
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

  2. To create a key tab:

    1. Open the JBCS_HOME/httpd/conf file.

    2. Enter the following details: 

      # ktutil
ktutil: addent -password -p HTTP/localhost@EXAMPLE.COM -k 0 -e des-cbc-md5
Password for HTTP/localhost@EXAMPLE.COM: secretpwd
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    0               HTTP/localhost@EXAMPLE.COM
ktutil: wkt JBCS_HOME/httpd/conf/krb5.keytab
ktutil: quit
      Important

      Environment variables are not expanded within the ktutil prompt. You must substitute the full path for the JBCS_HOME variable.

  3. To apply the correct group and permissions to the key tab, enter the following commands as the root user: 

    # chgrp apache JBCS_HOME/httpd/conf/krb5.keytab
# chmod 640 JBCS_HOME/httpd/conf/krb5.keytab

  4. Ensure that the following host configuration is included in the /etc/hosts file: 

    127.0.0.1 localhost

6.3. Configuring mod_auth_kerb

When you configure Kerberos authentication, you must configure mod_auth_kerb by specifying settings in the auth_kerb.conf file.

Prerequisites

Procedure

  1. Go to the JBCS_HOME/httpd/conf.d/ directory.
  2. Create a file named auth_kerb.conf.

  3. Enter the following configuration details: 

    #
# The mod_auth_kerb module implements Kerberos authentication over HTTP, following the "Negotiate" protocol.
#

# The LoadModule statement is done in conf.d/10-auth_kerb.conf
# LoadModule auth_kerb_module modules/mod_auth_kerb.so

<Location /kerberostest>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms EXAMPLE.COM
  KrbServiceName HTTP
  Krb5KeyTab $JBCS_HOME/httpd/krb5.keytab
  require valid-user
</Location>
Important

Environment variables are not expanded within the configuration files. In the preceding example, ensure that you substitute the full path for the JBCS_HOME variable.

6.4. Testing the Kerberos authentication

When you configure Kerberos authentication, you can use a test page to test the Kerberos authentication.

Prerequisites

Procedure

  1. To create a test page, perform the following steps:

    1. Go to the JBCS_HOME/httpd/www/html/kerberostest directory.
    2. Create a test page named auth_kerb_page.html.

    3. Enter the following details: 

      <html>
<body>
    <h1>mod_auth_kerb successfully authenticated!</h1>
</body>
</html>
  2. Optional: In the JBCS_HOME/httpd/conf/httpd.conf file, set the log level to debugging.
  3. Start the Apache HTTP Server. For more information, see the Red Hat JBoss Core Services Apache HTTP Server Installation Guide.

  4. To initiate Kerberos authentication for the test user, hnelson, enter the following command: 

    $ kinit hnelson

  5. To view the details for the test user, hnelson, enter the following command: 

    $ klist

    The klist command produces the following type of output: 

    Ticket cache: FILE:/tmp/krb5cc_18602
Default principal: hnelson@EXAMPLE.COM

Valid starting     Expires            Service principal
06/03/13 14:21:13  06/04/13 14:21:13  krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/10/13 14:21:13

Verification

  • To test Kerberos authentication, enter the following command: 

    $ curl --negotiate -u : http://localhost/kerberostest/auth_kerb_page.html

    If Kerberos authentication is working correctly, the curl command produces the following output: 

    <html>
<body>
    <h1>mod_auth_kerb successfully authenticated!</h1>
</body>
</html>

6.5. Additional resources (or Next steps)