Kerberos authentication module for nginx


#1

Ciao

It would be very useful for intranet web applications to have a Kerberos
Authentication module like the one for apache httpd
(http://modauthkerb.sourceforge.net/) and the lighttpd one
(http://redmine.lighttpd.net/issues/1899).

Has enyone already implemented it? is it in the roadmap?

Thanks in advance
Matteo
http://www.redaelli.org/matteo/


#2

On Wed, Apr 29, 2009 at 2:09 AM, Matteo R. removed_email_address@domain.invalid
wrote:

Ciao

It would be very useful for intranet web applications to have a Kerberos
Authentication module like the one for apache httpd
(http://modauthkerb.sourceforge.net/) and the lighttpd one
(http://redmine.lighttpd.net/issues/1899).

Has enyone already implemented it? is it in the roadmap?

I have a developer working on it right now, actually.

Once his code is in a functional state I’ll want as many people out
there to review and try it.

It’s basically a port of mod_auth_gssapi from Apache, which seemed to
have the strongest SPNEGO support.

I hired the developer through RentACoder; if anyone feels inclined to
pitch in funds to help cover the cost I’d be more than happy to
supplement him/cover some of my out of pocket expense (my company did
not cover it, I paid for it personally to help nginx advance and my
company can benefit from it)

Essentially it will do all the Kerberos work and supply REMOTE_USER
via the environment to PHP, etc.

If you have a good understanding of how it works I’d like your input
on it to make sure the developer is creating it in a useful fashion
(and/or you can help test) - right now I am stuck as I can’t figure
out how to get my Ubuntu machine on our domain at work, and that is
required for this to work. (It would be great if it didn’t have to be
on the domain though … )


#3

I have used modauthkerb for three years without any problem for
authenticating users (ca 25000 daily) in my company.

I’ll be happy to test your code when available.

But please what do you mean with “I can’t figure out how to get my
Ubuntu machine on our domain at work, and that is required for this to
work”.

Must the web server be joined to the Windows Domain in order to be able
to use mod kerb?

with mod_auth_kerb it is not required. you need only to generate a
KEYTAB with the KTPASS comand (see
http://www.redaelli.org/matteo/binaries/downloads/documents/apache_kerberos_w2003_spnego.pdf

  • sorry for the italian)

Regards
m a t t e o . r e d a e l l i AT gmail.com

Michael S. wrote:

On Wed, Apr 29, 2009 at 2:09 AM, Matteo R. removed_email_address@domain.invalid
wrote:

Ciao

It would be very useful for intranet web applications to have a Kerberos
Authentication module like the one for apache httpd
(http://modauthkerb.sourceforge.net/) and the lighttpd one
(http://redmine.lighttpd.net/issues/1899).

Has enyone already implemented it? is it in the roadmap?

I have a developer working on it right now, actually.

Once his code is in a functional state I’ll want as many people out
there to review and try it.

It’s basically a port of mod_auth_gssapi from Apache, which seemed to
have the strongest SPNEGO support.

I hired the developer through RentACoder; if anyone feels inclined to
pitch in funds to help cover the cost I’d be more than happy to
supplement him/cover some of my out of pocket expense (my company did
not cover it, I paid for it personally to help nginx advance and my
company can benefit from it)

Essentially it will do all the Kerberos work and supply REMOTE_USER
via the environment to PHP, etc.

If you have a good understanding of how it works I’d like your input
on it to make sure the developer is creating it in a useful fashion
(and/or you can help test) - right now I am stuck as I can’t figure
out how to get my Ubuntu machine on our domain at work, and that is
required for this to work. (It would be great if it didn’t have to be
on the domain though … )


#4

Yes, I believe it has to be on the domain currently.

However, I would -love- for it to not have that requirement.

I will send the code to you separately and you can give it a go. It
sounds like you have better understanding of how this stuff works.

Of course, I don’t know if your company’s implementation differs from
mine (it’s a Windows 2003 [I believe] Active Directory based off LDAP
and supports Kerberos and NTLM) but the idea of this module was for it
to be released to the community for everyone’s benefits. Having no
domain requirement would be an added bonus - perhaps you can examine
it on your boxes. Stay tuned I will be sending a followup email.


#5

On Wed, 29 Apr 2009 02:30:52 -0700
Michael S. removed_email_address@domain.invalid wrote:

If you have a good understanding of how it works I’d like your input
on it to make sure the developer is creating it in a useful fashion
(and/or you can help test)

I would be interested in this, and I’d like to test it if you want to
send something my way.

  • right now I am stuck as I can’t figure out how to get my Ubuntu
    machine on our domain at work, and that is required for this to work.
    (It would be great if it didn’t have to be on the domain though … )

Well, it doesn’t have to be part of the domain if you just set up some
other kerberos realm yourself…


#6

For my purposes, I want it to authenticate against a KDC/LDAP/AD
server, whatever it is. I think it’s a Windows 2003 based network.

But sure, I’ll shoot to to you too. Remember it is very alpha and I
think he said it can crash and he’s trying to fix that.


#7

well at the moment i am waiting for the current developer (that i am
paying) to finish it to a “complete” enough state and then let the
community mature it and hack it up, maybe have igor take a look and
correct any possible things that might make nginx unhappy. the
developer knows C but is not fluent in either nginx or kerberos, so
he’s doing a trial by fire.

the one thing i want to make sure first is that you don’t need to join
the machine to the domain to use it. currently i personally can’t
figure out how to get it all going yet.

but the “terms” of the rentacoder bid were to keep this open and that
it would be released publicly once it is in a functional state. adding
features in can happen after that, but for now i just need basic
SPNEGO type authentication support, and that’s basically the scope of
it. the more people want to hack on it, make it better, enhance it,
the better :slight_smile:


#8

Ciao Michael

I have testing your alpha/beta kerberos module and it seems to work

I notice that

*) you cannot setup user prompt for workstation not joined to teh domain
(I get it with a linux workstation and with mod_auth_kerb and parameter
“KrbMethodK5Passwd on”)
*) it is not possibile to limit the users (for instance indicating a
list of users, an AD group [but could not be possible because of
kerberos protocol])

I hope that you will distribute the patch to the forum and ask other
people to test it. Or better create an opensource project (github,
google code,sourceforge) where everyone can contribute and improve it.

Regards
Matteo


#9

Ciao Michael,

Any news about your useful new module?

Regards
Matteo

Michael S. wrote:

well at the moment i am waiting for the current developer (that i am
paying) to finish it to a “complete” enough state and then let the
community mature it and hack it up, maybe have igor take a look and
correct any possible things that might make nginx unhappy. the
developer knows C but is not fluent in either nginx or kerberos, so
he’s doing a trial by fire.

the one thing i want to make sure first is that you don’t need to join
the machine to the domain to use it. currently i personally can’t
figure out how to get it all going yet.

but the “terms” of the rentacoder bid were to keep this open and that
it would be released publicly once it is in a functional state. adding
features in can happen after that, but for now i just need basic
SPNEGO type authentication support, and that’s basically the scope of
it. the more people want to hack on it, make it better, enhance it,
the better :slight_smile:


#10

Trying to figure out how to get it to allow authentication against
KDCs without the machine actually being on the domain.

That should allow me to test it personally a lot easier too, and then
I plan on releasing it. The developer has actually joined the list
too…


#11

Ive never seen it successfully work yet, but I would assume
REMOTE_USER would be populated with domain\username (at least in my
environment)

First we need to get it up and stable and working. Then more features
and maturity can be added :slight_smile:

Sent from my iPhone

On Jun 11, 2009, at 6:14 AM, Matteo R. removed_email_address@domain.invalid


#12

Ok, thanks

It would be also useful a module parameter about 'removing REALS?"

if set yes, the module should return just the ‘username’ and not
‘username’@REALM.COMPANY.COM

Regards
Matteo
http://www.redaelli.org/matteo/

Michael S. wrote:

Trying to figure out how to get it to allow authentication against
KDCs without the machine actually being on the domain.

That should allow me to test it personally a lot easier too, and then
I plan on releasing it. The developer has actually joined the list
too…


#13

Any updates on this module? I’ve been looking forward to it since I ran
across this thread at the beginning of the month.

-Joe

Michael S. wrote:

Ive never seen it successfully work yet, but I would assume
REMOTE_USER would be populated with domain\username (at least in my
environment)

First we need to get it up and stable and working. Then more features
and maturity can be added :slight_smile:

Sent from my iPhone

On Jun 11, 2009, at 6:14 AM, Matteo R. removed_email_address@domain.invalid


#14

My developer (who is out there somewhere) has been busy with some other
stuff…

I’m hoping he can come back and finish up the last bit I want to get
done before releasing it into the wild…

Also if anyone knows C, nginx module coding or especially
Kerberos/SPNEGO/GSSAPI, that would be great to have someone else
review it, enhance it, etc.

I actually got a quote from Sam who is the current MIT Kerberos lead
guy, he was a bit too spendy though as he does not have time. However
if we get it to a certain spot, perhaps he could examine it if other
people want to chip in and polish off any last little bits.