Opened 14 years ago

Last modified 9 years ago

#11 new enhancement

SPNEGO/Kerberos authentication

Reported by: andersk Owned by:
Priority: minor Milestone:
Component: web Keywords:
Cc:

Description

(Imported from help.mit.edu #406732.)

andersk:

TODO: enable SPNEGO/Kerberos authentication on scripts.

Unfortunately, we think it may be hard to make this work with *.scripts.mit.edu because we don't have infinitely many keytabs. Does anyone know if it can be done?

andersk:

The situation may be more hopeful than we think; I now believe that the keytab only has to match the reverse DNS. Will test later.

Change History (5)

comment:1 Changed 14 years ago by price

  • Priority changed from major to minor

From talking to Anders, this means

  • users with very recent browsers get to authenticate with Kerberos, rather than certs;
  • users with future browsers or friendly with about:config may get to forward tickets where they choose, which would be cool.

But it looks like not many users will appreciate this feature for some years.

comment:2 Changed 13 years ago by mitchb

Possibly the client for RT ticket 869781 would like to know if this ever gets done.

comment:3 Changed 11 years ago by adehnert

Apparently this should be trivial, once we pick a port. 442 is what XVM uses.

comment:4 Changed 11 years ago by andersk

We don’t need to pick a port. It will work fine over port 443.

comment:5 Changed 11 years ago by adehnert

Auth: yes  Time: Mon Apr  4 00:23:34 2011 Host: LINERVA.MIT.EDU
From: Anders Kaseorg <andersk>

IIRC, the real problem we had last time was that mod_auth_kerb is
structured in such a way as to require the Apache user to have read
access on the keytab, which is no good.

In particular, symlink attacks, RewriteMap?, and various other things can probably be used to make Apache output a file that it can read, so the keytab needs to be not readable to the Apache user. It should be possible to just load it into memory when Apache starts up, though, and then use it for verifying the clients are legitimate.

Last edited 9 years ago by adehnert (previous) (diff)
Note: See TracTickets for help on using tickets.