From 7e33a3a2df613ecdfd49d621f7cc7a6424d4f96f Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 14 Apr 2015 11:49:00 -0400 Subject: Use mod_auth_gssapi instead of mod_auth_kerb Change configuration on new installs only. Enable GssapiLocalName so we have access to the local name in REMOTE_USER and the full principle in GSS_NAME. Enable GssapiSSLonly even though SSLRequireSSL is also set. The belt and suspenders principla. https://fedorahosted.org/ipsilon/ticket/89 Signed-off-by: Rob Crittenden Reviewed-by: Simo Sorce --- README | 4 ++-- contrib/fedora/ipsilon.spec | 10 +++++----- doc/design.txt | 2 +- ipsilon/login/authkrb.py | 30 ++++++++++++------------------ 4 files changed, 20 insertions(+), 26 deletions(-) diff --git a/README b/README index dc4dae8..8b4f291 100644 --- a/README +++ b/README @@ -29,8 +29,8 @@ Prerequisites: - An unprivileged user to run the Ipsilon code (defaults to 'ipsilon') Currently there are only two available authentication modules, Kerberos and -PAM. The Kerberos module uses mod_auth_kerb (which it will configure for you at -install time), the Pam module simply uses the PAM stack with a default service +PAM. The Kerberos module uses mod_auth_gssapi (which it will configure for +you at install time), the Pam module simply uses the PAM stack with a default service name set to 'remote'. NOTE: The PAM module is invoked as an unprivileged user so if you are using the diff --git a/contrib/fedora/ipsilon.spec b/contrib/fedora/ipsilon.spec index 8be5f40..335c61b 100644 --- a/contrib/fedora/ipsilon.spec +++ b/contrib/fedora/ipsilon.spec @@ -183,20 +183,20 @@ Provides a login plugin to authenticate against the local PAM stack %package authkrb -Summary: mod_auth_kerb based login plugin +Summary: mod_auth_gssapi based login plugin Group: System Environment/Base License: GPLv3+ Requires: %{name} = %{version}-%{release} -Requires: mod_auth_kerb +Requires: mod_auth_gssapi BuildArch: noarch %description authkrb -Provides a login plugin to allow authentication via the mod_auth_kerb Apache -module. +Provides a login plugin to allow authentication via the mod_auth_gssapi +Apache module. %package authldap -Summary: mod_auth_kerb based login plugin +Summary: LDAP info and login plugin Group: System Environment/Base License: GPLv3+ Requires: %{name} = %{version}-%{release} diff --git a/doc/design.txt b/doc/design.txt index 44699c5..08830d2 100644 --- a/doc/design.txt +++ b/doc/design.txt @@ -29,7 +29,7 @@ Architecture Ipsilon is mostly a web service builtin in python on the cherrypy framework. It is normally installed and run in an apache server and some plugins depend -on authentication modules available in apache like mod_auth_kerb. +on authentication modules available in apache like mod_auth_gssapi. Each authentication method is chained to the next in line so that automatic fallback can happen and multiple authentication methods can be employed at diff --git a/ipsilon/login/authkrb.py b/ipsilon/login/authkrb.py index 60eeb6b..6fc0c53 100644 --- a/ipsilon/login/authkrb.py +++ b/ipsilon/login/authkrb.py @@ -53,7 +53,7 @@ class KrbError(LoginPageBase): def root(self, *args, **kwargs): cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers) - # If we have no negotiate header return whatever mod_auth_kerb + # If we have no negotiate header return whatever mod_auth_gssapi # generated and wait for the next request if 'WWW-Authenticate' not in cherrypy.request.headers: @@ -81,8 +81,8 @@ class LoginManager(LoginManagerBase): self.path = 'krb/negotiate' self.page = None self.description = """ -Kereros Negotiate authentication plugin. Relies on the mod_auth_kerb apache -plugin for actual authentication. """ +Kerberos Negotiate authentication plugin. Relies on the mod_auth_gssapi +apache plugin for actual authentication. """ self.new_config(self.name) def get_tree(self, site): @@ -96,16 +96,11 @@ plugin for actual authentication. """ CONF_TEMPLATE = """ - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate on - KrbMethodK5Passwd off - KrbServiceName HTTP - $realms + AuthType GSSAPI + AuthName "GSSAPI Single Sign On Login" $keytab - KrbSaveCredentials off - KrbConstrainedDelegation off - # KrbLocalUserMapping On + GssapiSSLonly $gssapisslonly + GssapiLocalName on Require valid-user ErrorDocument 401 /${instance}/login/krb/unauthorized @@ -124,8 +119,6 @@ class Installer(LoginManagerInstaller): def install_args(self, group): group.add_argument('--krb', choices=['yes', 'no'], default='no', help='Configure Kerberos authentication') - group.add_argument('--krb-realms', - help='Allowed Kerberos Auth Realms') group.add_argument('--krb-httpd-keytab', default='/etc/httpd/conf/http.keytab', help='Kerberos keytab location for HTTPD') @@ -137,14 +130,15 @@ class Installer(LoginManagerInstaller): confopts = {'instance': opts['instance']} if os.path.exists(opts['krb_httpd_keytab']): - confopts['keytab'] = ' Krb5KeyTab %s' % opts['krb_httpd_keytab'] + confopts['keytab'] = 'GssapiCredStore keytab:%s' % ( + opts['krb_httpd_keytab']) else: raise Exception('Keytab not found') - if opts['krb_realms'] is None: - confopts['realms'] = ' # KrbAuthRealms - Any realm is allowed' + if opts['secure'] == 'no': + confopts['gssapisslonly'] = 'Off' else: - confopts['realms'] = ' KrbAuthRealms %s' % opts['krb_realms'] + confopts['gssapisslonly'] = 'On' tmpl = Template(CONF_TEMPLATE) hunk = tmpl.substitute(**confopts) # pylint: disable=star-args -- cgit