Security modules for apache
This presentation is the property of its rightful owner.
Sponsored Links
1 / 9

Security modules for Apache PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on
  • Presentation posted in: General

Security modules for Apache. Daniel Kouřil, Matej Prišťák AFS & Kerberos Best Practices Worshop 2009. mod_auth_kerb - 5.4. released in Dec 2008 Several patches from the community ANY for key selection, … Support for aname_to_lname() Stripping realm name Optimization and bug fixes

Download Presentation

Security modules for Apache

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security modules for apache

Security modules for Apache

Daniel Kouřil, Matej Prišťák

AFS & Kerberos Best Practices Worshop 2009


Mod auth kerb 5 4

mod_auth_kerb - 5.4

  • released in Dec 2008

  • Several patches from the community

    • ANY for key selection, …

  • Support for aname_to_lname()

    • Stripping realm name

  • Optimization and bug fixes

    • Build doesn‘t require GNU make


Mod auth kerb cvs

mod_auth_kerb – CVS

  • Basic provider for Kerberos

    • Requires Apache 2.2

    • Multiple mechanisms for password verification

AuthType Basic

AuthName "Basic authN"

AuthBasicProvider file kerberos

AuthUserFile /etc/apache2/htpasswd

KrbAuthRealms EXAMPLE.ORG

Require valid-user


General authn provider

General authN provider

  • Basic/Digest/… providers support only a single authN type

    • Users use X.509, Negotiate, local passwords and Kerberos passwords, …

    • Multiple authN types can‘t be specified

  • General provider

    • support more authN mechanisms

    • PoC implementation available

      • meta.cesnet.cz/soubory/mod_auth_provider.tar.gz

    • Extended AuthType directive


Mod auth provider

mod_auth_provider

  • New layer between Apache and modules API

    • Existing modules are plugged in

    • Implemented as authN module

    • forced to be invoked first in the chain

      • Other modules get never called

  • No adaptations of existing modules needed


Security modules for apache

httpd

authentication

auth provider

authN module 1

authN module 2

authN module 3


Username mappings

Username mappings

  • Multiple identifiers of the same user

  • Difficult management of authZ policies

  • Difficult maintanance of applications

    • Adding new authN methods requires changes in application code

  • /DC=cz/DC=cesnet-ca/O=Masaryk University/CN=Daniel Kouril

  • CN=Daniel Kouril,O=Masaryk University,DC=cesnet-ca,DC=cz

  • [email protected], [email protected]

  • [email protected]


Mod map user

mod_map_user

  • Rule-based rewritting of usernames

    • PoC implemented and available

      • CVS module next to mod_auth_kerb

  • Implements the authZ API of Apache

    • Called after authN as the first authZ module

  • Two mapping schemas:

    • MapUsernameFile <file>

      • File consists of lines <orig_name> <new_name>

    • MapUsernameRule [<auth_type>:]<RE> <result>

      • Kerberos:(.*)@(.*) "$1"


Putting all together

[email protected]

kouril

/DC=cz/DC=cesnet-ca/O=Masaryk University/CN=Daniel Kouril

uid=kouril,ou=People,dc=EXAMPLE,dc=ORG

Putting all together

SSL + local htpasswd + Negotiate + Kerberos password

AuthType Basic:Kerberos

SSLVerifyClient optional

SSLOptions +FakeBasicAuth

AuthBasicProvider file

AuthUserFile /etc/apache2/htpasswd

KrbAuthRealms EXAMPLE.ORG

KrbMethodNegotiate on

KrbMethodK5Passwd on

MapUsernameFile /etc/apache2/user-mapfile

MapUsernameRule Kerberos:(.*)@(.*) "uid=$l$1$n,ou=People,$r"

MapUsernameRule Basic:(.*) "uid=$l$1$n,ou=People,dc=EXAMPLE,dc=ORG"

require valid-user

Or:

AuthLDAPURL ldap://ldap.example.org/ou=People,dc=EXAMPLE,dc=ORG?dn?one

require ldap-attribute authorized=yes

kouril:$apr1$bQt9v...$EPr7.g0.CuS99ehguitCo.

/DC=cz/DC=…./CN=Daniel Kouril:xxj31ZMTZzkVA


  • Login