SPNEGO/Kerberos authentication

[andersk]

(Imported from ​help.mit.edu #406732.)

andersk:

TODO: enable SPNEGO/Kerberos authentication on scripts.

Unfortunately, we think it may be hard to make this work with *.scripts.mit.edu because we don't have infinitely many keytabs. Does anyone know if it can be done?

andersk:

The situation may be more hopeful than we think; I now believe that the keytab only has to match the reverse DNS. Will test later.

[price]

From talking to Anders, this means

• users with very recent browsers get to authenticate with Kerberos, rather than certs;
• users with future browsers or friendly with about:config may get to forward tickets where they choose, which would be cool.

But it looks like not many users will appreciate this feature for some years.

[mitchb]

Possibly the client for ​RT ticket 869781 would like to know if this ever gets done.

[adehnert]

Apparently this should be trivial, once we pick a port. 442 is what XVM uses.

[andersk]

We don’t need to pick a port. It will work fine over port 443.

[adehnert]

Auth: yes  Time: Mon Apr  4 00:23:34 2011 Host: LINERVA.MIT.EDU
From: Anders Kaseorg <andersk>

IIRC, the real problem we had last time was that mod_auth_kerb is
structured in such a way as to require the Apache user to have read
access on the keytab, which is no good.

In particular, symlink attacks, RewriteMap?, and various other things can probably be used to make Apache output a file that it can read, so the keytab needs to be not readable to the Apache user. It should be possible to just load it into memory when Apache starts up, though, and then use it for verifying the clients are legitimate.