1 / 9

Security modules for Apache

Security modules for Apache. Daniel Kouřil, Matej Prišťák AFS & Kerberos Best Practices Worshop 2009. mod_auth_kerb - 5.4. released in Dec 2008 Several patches from the community ANY for key selection, … Support for aname_to_lname() Stripping realm name Optimization and bug fixes

chanel
Télécharger la présentation

Security modules for Apache

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security modules for Apache Daniel Kouřil, Matej Prišťák AFS & Kerberos Best Practices Worshop 2009

  2. mod_auth_kerb - 5.4 • released in Dec 2008 • Several patches from the community • ANY for key selection, … • Support for aname_to_lname() • Stripping realm name • Optimization and bug fixes • Build doesn‘t require GNU make

  3. mod_auth_kerb – CVS • Basic provider for Kerberos • Requires Apache 2.2 • Multiple mechanisms for password verification AuthType Basic AuthName "Basic authN" AuthBasicProvider file kerberos AuthUserFile /etc/apache2/htpasswd KrbAuthRealms EXAMPLE.ORG Require valid-user

  4. General authN provider • Basic/Digest/… providers support only a single authN type • Users use X.509, Negotiate, local passwords and Kerberos passwords, … • Multiple authN types can‘t be specified • General provider • support more authN mechanisms • PoC implementation available • meta.cesnet.cz/soubory/mod_auth_provider.tar.gz • Extended AuthType directive

  5. mod_auth_provider • New layer between Apache and modules API • Existing modules are plugged in • Implemented as authN module • forced to be invoked first in the chain • Other modules get never called • No adaptations of existing modules needed

  6. httpd authentication auth provider authN module 1 authN module 2 authN module 3

  7. Username mappings • Multiple identifiers of the same user • Difficult management of authZ policies • Difficult maintanance of applications • Adding new authN methods requires changes in application code • /DC=cz/DC=cesnet-ca/O=Masaryk University/CN=Daniel Kouril • CN=Daniel Kouril,O=Masaryk University,DC=cesnet-ca,DC=cz • kouril@ICS.MUNI.CZ, kouril@META • 1388@muni.cz

  8. mod_map_user • Rule-based rewritting of usernames • PoC implemented and available • CVS module next to mod_auth_kerb • Implements the authZ API of Apache • Called after authN as the first authZ module • Two mapping schemas: • MapUsernameFile <file> • File consists of lines <orig_name> <new_name> • MapUsernameRule [<auth_type>:]<RE> <result> • Kerberos:(.*)@(.*) "$1"

  9. kouril@EXAMPLE.ORG kouril /DC=cz/DC=cesnet-ca/O=Masaryk University/CN=Daniel Kouril uid=kouril,ou=People,dc=EXAMPLE,dc=ORG Putting all together SSL + local htpasswd + Negotiate + Kerberos password AuthType Basic:Kerberos SSLVerifyClient optional SSLOptions +FakeBasicAuth AuthBasicProvider file AuthUserFile /etc/apache2/htpasswd KrbAuthRealms EXAMPLE.ORG KrbMethodNegotiate on KrbMethodK5Passwd on MapUsernameFile /etc/apache2/user-mapfile MapUsernameRule Kerberos:(.*)@(.*) "uid=$l$1$n,ou=People,$r" MapUsernameRule Basic:(.*) "uid=$l$1$n,ou=People,dc=EXAMPLE,dc=ORG" require valid-user Or: AuthLDAPURL ldap://ldap.example.org/ou=People,dc=EXAMPLE,dc=ORG?dn?one require ldap-attribute authorized=yes kouril:$apr1$bQt9v...$EPr7.g0.CuS99ehguitCo. /DC=cz/DC=…./CN=Daniel Kouril:xxj31ZMTZzkVA

More Related