security modules for apache
Download
Skip this Video
Download Presentation
Security modules for Apache

Loading in 2 Seconds...

play fullscreen
1 / 9

Security modules for Apache - PowerPoint PPT Presentation


  • 135 Views
  • Uploaded on

Security modules for Apache. Daniel Kouřil, Matej Prišťák AFS & Kerberos Best Practices Worshop 2009. mod_auth_kerb - 5.4. released in Dec 2008 Several patches from the community ANY for key selection, … Support for aname_to_lname() Stripping realm name Optimization and bug fixes

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Security modules for Apache' - chanel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security modules for apache

Security modules for Apache

Daniel Kouřil, Matej Prišťák

AFS & Kerberos Best Practices Worshop 2009

mod auth kerb 5 4
mod_auth_kerb - 5.4
  • released in Dec 2008
  • Several patches from the community
    • ANY for key selection, …
  • Support for aname_to_lname()
    • Stripping realm name
  • Optimization and bug fixes
    • Build doesn‘t require GNU make
mod auth kerb cvs
mod_auth_kerb – CVS
  • Basic provider for Kerberos
    • Requires Apache 2.2
    • Multiple mechanisms for password verification

AuthType Basic

AuthName "Basic authN"

AuthBasicProvider file kerberos

AuthUserFile /etc/apache2/htpasswd

KrbAuthRealms EXAMPLE.ORG

Require valid-user

general authn provider
General authN provider
  • Basic/Digest/… providers support only a single authN type
    • Users use X.509, Negotiate, local passwords and Kerberos passwords, …
    • Multiple authN types can‘t be specified
  • General provider
    • support more authN mechanisms
    • PoC implementation available
      • meta.cesnet.cz/soubory/mod_auth_provider.tar.gz
    • Extended AuthType directive
mod auth provider
mod_auth_provider
  • New layer between Apache and modules API
    • Existing modules are plugged in
    • Implemented as authN module
    • forced to be invoked first in the chain
      • Other modules get never called
  • No adaptations of existing modules needed
slide6

httpd

authentication

auth provider

authN module 1

authN module 2

authN module 3

username mappings
Username mappings
  • Multiple identifiers of the same user
  • Difficult management of authZ policies
  • Difficult maintanance of applications
    • Adding new authN methods requires changes in application code
mod map user
mod_map_user
  • Rule-based rewritting of usernames
    • PoC implemented and available
      • CVS module next to mod_auth_kerb
  • Implements the authZ API of Apache
    • Called after authN as the first authZ module
  • Two mapping schemas:
    • MapUsernameFile <file>
      • File consists of lines <orig_name> <new_name>
    • MapUsernameRule [<auth_type>:]<RE> <result>
      • Kerberos:(.*)@(.*) "$1"
putting all together

[email protected]

kouril

/DC=cz/DC=cesnet-ca/O=Masaryk University/CN=Daniel Kouril

uid=kouril,ou=People,dc=EXAMPLE,dc=ORG

Putting all together

SSL + local htpasswd + Negotiate + Kerberos password

AuthType Basic:Kerberos

SSLVerifyClient optional

SSLOptions +FakeBasicAuth

AuthBasicProvider file

AuthUserFile /etc/apache2/htpasswd

KrbAuthRealms EXAMPLE.ORG

KrbMethodNegotiate on

KrbMethodK5Passwd on

MapUsernameFile /etc/apache2/user-mapfile

MapUsernameRule Kerberos:(.*)@(.*) "uid=$l$1$n,ou=People,$r"

MapUsernameRule Basic:(.*) "uid=$l$1$n,ou=People,dc=EXAMPLE,dc=ORG"

require valid-user

Or:

AuthLDAPURL ldap://ldap.example.org/ou=People,dc=EXAMPLE,dc=ORG?dn?one

require ldap-attribute authorized=yes

kouril:$apr1$bQt9v...$EPr7.g0.CuS99ehguitCo.

/DC=cz/DC=…./CN=Daniel Kouril:xxj31ZMTZzkVA

ad