Kerberos/Kerberos and SLES9

From Authentication Tools for Joomla! (JAuthTools)

Jump to: navigation, search

This document covers installing and integrating Kerberos based single sign on for PHP applications. The content in this document is specifically aimed at providing information to install Kerberos and mod_auth_kerb on the SLES9 box and integrate this system with an existing Active Directory Kerberos server. You will probably want to configure Apache to only authenticate PHP documents after reading this guide.

Contents

Installation

RPM Packages

apache2-devel-2.0.49-23.i586.rpm

  • (Not included on CD's, available via rpmseek.com)
  • This package is required to provide APXS for module configuration.

Source

krb5-1.4.2

  • Due to SLES9 being out dated, HEIMDAL is only provided, without development libraries. This is the MIT implementation of Kerberos. This is required for mod_auth_kerb to function properly (or without extra configuration and download processes).

Procedure:

$ ./configure -prefix=/usr
$ make
# make install

mod_auth_kerb-5.0-rc6

  • Provides the layer of Negotiate authentication.
  • Passes a server variable down with the username so that PHP can identify the validated user.

Procedure:

There is an issue with the default configuration file which needs a minor alteration for it to work. In the configure file search for the following line:

set dummy apxs; ac_word=$2

and change it to:

set dummy apxs2; ac_word=$2
$ ./configure --with-krb5=/usr/ --with-krb4=no --with-apache=/usr
$ make
# sudo make install

Notes: Kerberos 4 isn't supported but the module will attempt to use it if it has been enabled at compile time. This explicitly disables it, forcing Kerberos 5.

Adding the module to the configuration

# vi /etc/sysconfig/apache2

Edit the following line (or similar):

APACHE_MODULES="access actions alias auth auth_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php4"

to:

APACHE_MODULES="access actions alias auth auth_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php4 auth_kerb"

and restart apache and check a phpinfo() file and verify that "mod_auth_kerb" is loaded (under apache2handler).

Configuration

Kerberos Configuration

Important: Time synchronization is very important to Kerberos. Five minutes difference can cause the authentication to fail. NTP configuration should be completed and verified working before Kerberos Configuration is attempted.

The default configuration that SuSE generates appears to be invalid. A sample configuration is supplied below:

[libdefaults]
        default_realm = JOOMLA.ORG
 
[realms]
        JOOMLA.ORG= {
                admin_server = AD.JOOMLA.ORG
                default_domain = JOOMLA.ORG
        }
 
[domain_realm]
        joomla = JOOMLA.ORG
        .joomla = JOOMLA.ORG
        joomla.org = JOOMLA.ORG
        .joomla.org = JOOMLA.ORG

[logging]
#       kdc = CONSOLE


This is a basic configuration that should allow authentication. If your Linux username is the same as your Active Directory login (e.g. testuser for Linux and testuer for Active Directory), then simply typing 'kinit' should ask to login as 'testuser@JOOMLA.ORG' (Spaces included to prevent automatic alteration). Entering your Active Directory password here should result in no error. If your password is wrong you will get a pre-authentication error.

Active Directory Configuration

Due to the nature of Kerberos, two new 'users' need to be added to the Active Directory before the Kerberos Single Sign on system will work. First of all we need to add a new "computer and user account for the host and user security principals logging into the Domain". This should be the fully qualified domain name of the server (e.g. kerberos.joomla.org). Example from the Microsoft guide:

1. Use the Active Directory Management tool to create a new user account for the UNIX host:

  • Select the Users folder, right click and select New, then choose user.
  • Type the name of the UNIX host (e.g. kerberos.joomla.org); The account can be created in any container. It might be useful to create a new organization unit (U) and create the accounts there.

2. Use the Active Directory Management tool to create a user account for the UNIX service; for example create an account with the name kerberos-joomla-HTTP. 3. Use ktpass to create the keytab file and set up the account for the UNIX host and then copy the keytab file to the UNIX system and merge the keytab file into /etc/krb5.keytab, as follows:

  • Use the following command to generate the UNIX host and service keytab files, map the principal to the account and set the host principal password, example (Note: capitalization is important!):
  c:\> ktpass -princ host/kerberos.joomla.org@JOOMLA.ORG -mapuser kerberos-joomla -pass secretpassword -out kerberos-joomla.keytab
    <messages here>
  c:\> ktpass -princ HTTP/kerberos.joomla.org@JOOMLA.ORG -mapuser kerberos-joomla-http -pass secretpassword -out Kerberos-joomla-http.keytab
    <messages here>
  • Copy the file to the UNIX server (should be done securely, email works) and import into the main Kerberos keytab:
    $ sudo /usr/sbin/ktutil
    ktutil: rkt kerberos-joomla.keytab
    ktutil: rkt kerberos-joomla-http.keytab
    ktutil: wkt /etc/krb5.keytab
    ktutil: q
    $ sudo chmod 644 /etc/krb5.keytab

(This assume that there are no other keys in krb5.keytab! If so, add "rkt /etc/krb5.keytab" before writing (wkt) the keytab. The chmod ensures that the file is readable by Apache (solves the "Permission Denied" error in the Apache2 Error log)).

Apache Configuration

For Kerberos authentication to be used, it must be requested at Apache authentication level, not the PHP level, similar to the basic authentication system used previously with Joomla!. In test cases .htaccess files were used to provide configuration settings. Configuration can be directly made within Apache, but alterations require a restart. .htaccess files provide a method of overriding or altering the configuration of a given directory. All directives within this file are valid in the main configuration file.

Example .htaccess file:

Options FollowSymLinks Indexes MultiViews
IndexOptions FancyIndexing
 
AuthType Kerberos
AuthName "Enter your Login"
KrbMethodNegotiate On
KrbAuthRealms JOOMLA.ORG
KrbSaveCredentials on
KrbMethodK5Passwd On
KrbServiceName HTTP
require valid-user

And in the main Apache configuration file:

<Directory "/srv/www/htdocs/secureplace">
        Options All
        AllowOverride All
</Directory>

Restart apache and test. Note: Due to the structure of Joomla!, more extensive alterations are required before it will work at maximum efficiency.

Background Information (Structure)

Since Windows 2000, Kerberos has been the method of choice for authentication in Windows, supersceding NTLM authentication. This means that Kerberos aware systems can now authenticate in Windows 2000/XP/2003 environments without any extra password entry mechanisms. This is called 'single signon', and is available by default within the Windows environment if "Enable Integrated Windows Authentications" is ticked with in the IE configuration dialog (under Advanced tab and Security).

At user sign on, the Active Directory issues the user with a Kerberos ticket. From here, this ticket can be sent to Kerberos aware services requesting this ticket, which is in our case, Apache. Apache then uses this ticket, plus its own keys, to authenticate both itself (with its key) and the user (with their ticket) against the Kerberos domain (namely Active Directory). Apache then places a server variable into the CGI processes ($_SERVER[['remote_user']) which allows PHP to authenticate with its own information (e.g. PHP is given a username only, with no password). Spoofing of the server variable requires spoofing of the Kerberos authentication layer.

History (Kerberos and SuSE)

Heimdal is shipped with SuSE due to limitations with MIT Kerberos and US export laws. These issues have been removed with the alteartion of MIT's policy on extra-US/Caneda downloads. Heimdal has certain limitations in their implementation that can cause issues and extra configuration for the Kerberos Library.

Resources

mod_auth_kerb home page: http://modauthkerb.sourceforge.net

MIT Kerberos home page: http://web.mit.edu/kerberos/www/

RPMSeek: http://www.rpmseek.com

Note: SLES9 accepts SuSE 9.1 packages.



Disclaimer: This document is meant as a guide only and is no where near comprehensive. Please read the appropriate sources for more information. This document is provided in good faith to help those on their way to find further information.

Personal tools