Opened 17 years ago
Last modified 12 years ago
#11 new enhancement
SPNEGO/Kerberos authentication
Reported by: | andersk | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | web | Keywords: | |
Cc: |
Description
(Imported from help.mit.edu #406732.)
andersk:
TODO: enable SPNEGO/Kerberos authentication on scripts.
Unfortunately, we think it may be hard to make this work with *.scripts.mit.edu because we don't have infinitely many keytabs. Does anyone know if it can be done?
andersk:
The situation may be more hopeful than we think; I now believe that the keytab only has to match the reverse DNS. Will test later.
Change History (5)
comment:1 Changed 17 years ago by price
- Priority changed from major to minor
comment:2 Changed 15 years ago by mitchb
Possibly the client for RT ticket 869781 would like to know if this ever gets done.
comment:3 Changed 14 years ago by adehnert
Apparently this should be trivial, once we pick a port. 442 is what XVM uses.
comment:4 Changed 14 years ago by andersk
We don’t need to pick a port. It will work fine over port 443.
comment:5 Changed 13 years ago by adehnert
Auth: yes Time: Mon Apr 4 00:23:34 2011 Host: LINERVA.MIT.EDU From: Anders Kaseorg <andersk> IIRC, the real problem we had last time was that mod_auth_kerb is structured in such a way as to require the Apache user to have read access on the keytab, which is no good.
In particular, symlink attacks, RewriteMap?, and various other things can probably be used to make Apache output a file that it can read, so the keytab needs to be not readable to the Apache user. It should be possible to just load it into memory when Apache starts up, though, and then use it for verifying the clients are legitimate.
From talking to Anders, this means
But it looks like not many users will appreciate this feature for some years.