Red Hat SummitChapter 2. Configuring Kerberos authentication for the Apache HTTP web server
To use the mod_auth_gssapi Apache module on Red Hat Enterprise Linux (RHEL), configure Kerberos authentication for the Apache HTTP web server. The Generic Security Services API (GSSAPI) is an interface for applications that make requests to use Kerberos security libraries.
2.1. Setting up gss-proxy in an IdM environment
To enable secure and authenticated access to Kerberos-protected resources across various services and applications, you can set up the Generic Security Services Proxy (GSS-Proxy) on the Apache HTTP web server. You can implement the gssproxy service to enable privilege separation for the httpd server. gssproxy provides security optimization to this process. Note that the mod_auth_gssapi module replaces the mod_auth_kerb module, which is no longer available in the current version of Red Hat Enterprise Linux (RHEL).
Prerequisites
-
You have installed the
httpd,mod_auth_gssapiandgssproxypackages. -
You have set up and started the
httpdservice.
Procedure
Enable access to the
keytabfile of theHTTP/<SERVER_NAME>@realmprincipal by creating the service principal:ipa service-add HTTP/<SERVER_NAME>
# ipa service-add HTTP/<SERVER_NAME>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Retrieve the
keytabfor the principal stored in the/etc/gssproxy/http.keytabfile:ipa-getkeytab -s $(awk '/^server =/ {print $3}' /etc/ipa/default.conf) -k /etc/gssproxy/http.keytab -p HTTP/$(hostname -f)# ipa-getkeytab -s $(awk '/^server =/ {print $3}' /etc/ipa/default.conf) -k /etc/gssproxy/http.keytab -p HTTP/$(hostname -f)Copy to Clipboard Copied! Toggle word wrap Toggle overflow This step sets permissions to 400, therefore only the
rootuser has access to thekeytabfile. Theapacheuser does not.Create the
/etc/gssproxy/80-httpd.conffile with the following content:[service/HTTP] mechs = krb5 cred_store = keytab:/etc/gssproxy/http.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = apache
[service/HTTP] mechs = krb5 cred_store = keytab:/etc/gssproxy/http.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = apacheCopy to Clipboard Copied! Toggle word wrap Toggle overflow Restart and enable the
gssproxyservice:systemctl restart gssproxy.service systemctl enable gssproxy.service
# systemctl restart gssproxy.service # systemctl enable gssproxy.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Obtain a Kerberos ticket:
kinit
# kinitCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Open the URL to the protected directory in a browser.
For details, see gssproxy(8), gssproxy-mech(8), gssproxy.conf(5) man pages on your system.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}