You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: proxy/docs/Apache.md
+8-9Lines changed: 8 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,10 @@
2
2
3
3
The traditional approach for performing Kerberos authentication in Apache 2.* is to use the mod_auth_gssapi (historically, mod_auth_kerb would have been used) module. When using this module, the Apache process must have read access to a keytab (configured with the ```GssapiCredStore``` option, or the default ```/etc/krb5.keytab```) containing keys for the HTTP service. This is not optimal from a security point of view as all websites can potentially get access to the key material. GSS-Proxy allows to implement privilege separation for the Apache httpd server by removing access to the keytab while preserving Kerberos authentication functionality.
4
4
5
-
This page describes a setup which works on Fedora 21 with gssproxy-0.4.1-1.fc21.x86_64, httpd-2.4.16-1.fc21.x86_64, and mod_auth_gssapi-1.3.0-2.fc21.x86_64, and verified on Fedora 21 and RHEL 7.
5
+
This page describes a setup which works starting with Fedora 21 with
6
+
gssproxy-0.4.1-1.fc21.x86_64, httpd-2.4.16-1.fc21.x86_64, and
7
+
mod_auth_gssapi-1.3.0-2.fc21.x86_64. It works on similar versions of RHEL as
8
+
well.
6
9
7
10
## Setting up GSS-Proxy
8
11
@@ -20,7 +23,10 @@ will create the service principal. On an IPA-enrolled client machine, the
20
23
21
24
will retrieve the keytab for the principal. In the following configuration snippet we assume it is stored in ```/etc/gssproxy/http.keytab```. The permissions are set to 400, owner root. The Apache user does not have access to the keytab.
22
25
23
-
We need to know the Apache user numerical id to put it in the configuration file, because GSS-Proxy uses the effective uid to distinguish the services. On my installation, the uid is 48. Symbolic uids will be supported in a future release of gssproxy.
26
+
We need to know the Apache user numerical id to put it in the configuration
27
+
file, because GSS-Proxy uses the effective uid to distinguish the services. On
28
+
my installation, the uid is 48. Symbolic uids are also supported (e.g.,
29
+
"httpd" or "apache").
24
30
25
31
We add a new section to the ```/etc/gssproxy/gssproxy.conf``` configuration file. This section has to be before any section which might have ```allow_any_uid = yes```, namely gssproxy-0.3.0 in its ```service/nfs-client```:
26
32
@@ -81,10 +87,3 @@ When we now (re)start the Apache service
81
87
```
82
88
83
89
we should be able to make HTTP requests against the server and they will be authenticated if the client has a valid Kerberos ticket.
84
-
85
-
## Issues
86
-
87
-
On Fedora 21 and RHEL 7 with the latest updates installed, the above setup should work.
0 commit comments