Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).

Numbered Headings

System Preparation

Add the Moonshot libraries

If you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on RHEL/CentOS/SL 6.

Install some prerequisites

Building the Apache mod_auth_gssapi module requires you to have several packages already installed on the machine. To install them:

Code Block
languagebash
$ yum install autoconf automake krb5-workstation krb5-devel git httpd httpd-devel gcc

Build the module

We are now ready to build the Apache module.

  1. Get a copy of the code via git:

    Code Block
    languagebash
    $ git clone http://www.project-moonshot.org/git/mod_auth_kerb.git
  2. Enter the directory that just got created:

    Code Block
    languagebash
    $ cd mod_auth_kerb
  3. Run autoconf:

    Code Block
    languagebash
    $ autoconf
  4. Currently, there is a problem with the automake configuration. Until this is addressed, run autoreconf as follows:

    Code Block
    languagebash
    $ autoreconf -vfi
  5. The apxs script is not set as executable. Fix it manually:

    Code Block
    languagebash
    $ chmod +x ./apxs.sh
  6. Build the software:

    Code Block
    languagebash
    $ ./configure --sysconfdir=/etc --prefix=/usr && make && make install
    Tip
    titleTip

    This will install the module to /usr/lib/httpd/modules. On 64-bit platforms, you should run the following configure command in step 6:

    Code Block
    languagebash
    $ ./configure --sysconfdir=/etc --prefix=/usr --libdir=/usr/lib64

Installation Instructions

  1. To enable the Apache module, remove the comment from the below line in /etc/httpd/conf/httpd.conf:

    Code Block
    languagebash
    LoadModule auth_gssapi_module /usr/lib64/httpd/modules/mod_auth_gssapi.so
  2. Add a dummy Kerberos key to make the module happy:

    Code Block
    languagebash
    $ ktutil
    ktutil:  addent -password -p HTTP/localhost@YOUR-WEBSERVER-HOSTNAME -k 1 -e aes256-cts
    <enter any password>
    ktutil:  wkt /etc/httpd/krb5.keytab
    ktutil:  quit
  3. Export the location of the keytab file into Apache's config:

    Code Block
    languagebash
    $ echo export KRB5_KTNAME=/etc/httpd/krb5.keytab >> /etc/httpd/envvars
    Note
    titleAlternative

    Alternatively, you can use the GSSKrb5Keytab configuration option in the Location directive in Section 3.1 to specify the keytab.

  4. Assign the correct permissions to the keytab file:

    Code Block
    languagebash
    $ chown apache.apache /etc/httpd/krb5.keytab
  5. Ensure that the certificates referenced in /etc/radsec.conf can be read by the Apache user:

    Code Block
    languagebash
    $ su - --shell=/bin/bash apache
    $ cat path_to_ca.pem
    $ cat path_to_client.pem
    $ cat path_to_client.key
  6. Verify that the KeepAlive option is enabled in the Apache configuration file /etc/httpd/conf/httpd.conf:

    Code Block
    languagebash
    KeepAlive On
  7. Restart Apache:

    Code Block
    languagebash
    $ service httpd restart

Configuration Instructions

Warning
titleShibboleth2 Apache module incompatibility

Please note that this module is currently not compatible with the Shibboleth2 service provider Apache module. When testing or using the Moonshot module, disable the Shibboleth module and restart the webserver before attempting your test. We are attempting to resolve this problem.

Protecting a location with Moonshot

To protect a particular location on your Apache server, you must configure it with an AuthType of "Negotiate".

Tip
titleExample

To allow anyone with a valid Moonshot account to access /wherever, you would do the following:

Code Block
linenumberstrue
<Location "/wherever">
    AuthType Negotiate
    Require valid-user
</Location>

Populating REMOTE_USER

Web services often rely on the REMOTE_USER Apache environment variable for user information, such as a local user account or a pseudonymous identifier.

To populate REMOTE_USER, update the reply from the RP Proxy with the User-Name RADIUS attribute in the RP Proxy's post-auth section:

Code Block
update reply {
        User-Name := "content"
}

HTTPS Internet Explorer compatibility

For updated best practice with Internet Explorer connections, you should also read Microsoft's HTTPS and Keep-Alive Connections article.