Thursday, January 16, 2014

Set up a kerberos protected apache server on CentOS 6.5 x86_64

1. Install packages
# yum install mod_auth_kerb ipa-client ipa-admintools

2. Join into Kerberos domain
Make sure ipa server can resolve http server(DNS and/or hosts)
# ntpdate 0.centos.pool.ntp.org
# ipa-client-install --domain dev.id.aaf.edu.au --server iam1.dev.id.aaf.edu.au

3. Add service principal
# kinit admin
# ipa service-add HTTP/krbhttpservice.dev.id.aaf.edu.au

4. Retrieve Kerberos keytab
# ipa-getkeytab -s iam1.dev.id.aaf.edu.au -p HTTP/krbhttpservice.dev.id.aaf.edu.au -k /etc/httpd/conf/krb5.keytab
# chown apache:apache /etc/httpd/conf/krb5.keytab
# chmod 0600 /etc/httpd/conf/krb5.keytab

5. Configure apache
Open /etc/httpd/conf.d/auth_kerb.conf
#
# The mod_auth_kerb module implements Kerberos authentication over
# HTTP, following the "Negotiate" protocol.
#
LoadModule auth_kerb_module modules/mod_auth_kerb.so
#
# Sample configuration: Kerberos authentication must only be
# used over SSL to prevent replay attacks.  The keytab file
# configured must be readable only by the "apache" user, and
# must contain service keys for "HTTP/www.example.com", where
# "www.example.com" is the FQDN of this server.
#
<Location /kerberos_protected>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbServiceName HTTP/krbhttpservice.dev.id.aaf.edu.au
  KrbAuthRealms DEV.ID.AAF.EDU.AU
  Krb5KeyTab /etc/httpd/conf/krb5.keytab
  require valid-user
</Location>

6. Restart apache
# chkconfig httpd on
# service httpd start

7. Testing on a client machine, same as the server, you need to be a member of the Kerberos domain
# yum install ipa-client
# ntpdate 0.centos.pool.ntp.org
# ipa-client-install --domain dev.id.aaf.edu.au --server iam1.dev.id.aaf.edu.au
# kinit <username>
# curl -I -k --negotiate -u : https://krbhttpservice.dev.id.aaf.edu.au/kerberos_protected/phptest.php
The output should be like this:
HTTP/1.1 401 Authorization Required
Date: Fri, 17 Jan 2014 03:35:37 GMT
Server: Apache/2.2.15 (CentOS)
WWW-Authenticate: Negotiate
Connection: close
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK
Date: Fri, 17 Jan 2014 03:35:37 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Connection: close
Content-Type: text/html; charset=UTF-8
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)