Here’s how to take care of installing mod_auth_kerb: Make sure that you have httpd-devel installed: yum install httpd-devel Download the source to the latest version of mod_auth_kerb.

Kerberos Module for Apache Introduction Mod_auth_kerb is an Apache module designed to provide Kerberos authentication to the Apache web server. Using the Basic Auth mechanism, it retrieves a username/password pair from the browser and checks them against a Kerberos server as set up by your particular organization. The module also supports the Negotiate authentication method, which performs full Kerberos authentication based on ticket exchanges, and does not require users to insert their passwords to the browser. In order to use the Negotiate method you need a browser supporting it (currently standard IE6.0 or Mozilla with the ).

The module supports both kerberos4 and kerberos5 protocols for password verification. The Negotiate mechanism can be only used with Kerberos v5. The module supports both 1.x and 2.x versions of Apache. If you are using the Basic Auth mechanism, the module does not do any special encryption of any sort. The passing of the username and password is done with the same Base64 encoding that Basic Auth uses.

This can easily be converted to plain text. To counter this, I would suggest also using mod_ssl or Apache-SSL. The use of SSL encryption is also recommended if you are using the Negotiate method.

You must configure your web server to use SSL when using any kind of password authentication. Otherwise, passwords will be sent across the network unencrypted and could be stolen. For more information, see. To use mod_auth_kerb on your site: • Install Kerberos on your web server; see. Instead of installing the keytab file in /etc/krb5.keytab, you may want to install it in the same location as your web server configuration files (for example, /opt/apache/etc/krb5.keytab).

Use the chown(1) and chmod(1) commands to make this keytab file readable by the web server user. The following example assumes a web server user of www: $ chown root:www krb5.keytab $ sudo chmod 640 krb5.keytab $ ls -l krb5.keytab -rw-r----- 1 root www 134 Apr 9 10:43 krb5.keytab • Download the mod_auth_kerb Apache module from: The website includes build instructions. When building, set the KRB5_VERIFY_TICKET option and specify the location of the keytab file with KRB5_DEFAULT_KEYTAB. For example, when building mod_auth_kerb as a dynamic shared object (DSO), use something like: apxs -c -DKRB5 -DKRB5_VERIFY_TICKET -DKRB5_DEFAULT_KEYTAB= ' 'FILE:/opt/apache/etc/krb5.keytab ' ' -I/opt/krb5/include -L/opt/krb5/lib -lkrb5 -ldl -lcom_err -lk5crypto mod_auth_kerb.c This example assumes your keytab is in /opt/apache/etc/krb5.keytab and Kerberos 5 is installed in /opt/krb5. For more information about DSOs in Apache 2.0, see.

For Apache 1.3, see. • Finish installing mod_auth_kerb according to the instructions on the website.

• Using.htaccess files or Directory or Location directives in your httpd.conf file, enable Kerberos authentication for the appropriate portions of your site. The only mod_auth_kerb directives you should need are: AuthName 'IU Network ID' AuthType KerberosV5 KrbServiceName HTTP Require valid-user SSLRequireSSL The Require valid-user directive will allow anyone with a valid IU to authenticate. You can restrict this further by replacing valid-user with user followed by a list of usernames, for example: Require user bunbury jack ernest See also the Apache documentation on runtime configuration directives, particularly Allow, Deny, Order, Require, and Satisfy, in the directive index for your version of Apache: • • You should now be able to authenticate to protected areas of the site using your IU Network ID. Check your Apache error log if it doesn't work. The following error may mean your krb5.keytab file is not in the right place: reason: krb5_rd_req(): No such file or directory If the file is not readable by the web server user, you may see the following error: reason: krb5_rd_req(): Permission denied Syntax errors relating to the SSLRequireSSL directive may mean you have not built an SSL-capable version of Apache. For more information, see:.