Discussion:
Kerberos for authentication, php for authorization
Steve Webb
2007-06-07 13:16:26 UTC
Permalink
Hello,

I have been requested to build a web app for my medium sized organization
that currently have Kerberos 5 running on the network. The webapp will
require non-technical users to be able to log on remotely through a web
browser (IE only is fine but there must not be any other client programs
involved) and then be given different privilidges within the app depending
on their role.

Being a newbie to kerberos I have done some reading about possible
implementation techniques for Kerberos in web apps but have one question I
am hoping some of the gurus out there may be able to help with:
*Q. Can Kerberos be used to authenticate users and a php script then given
access to a users username in order to authorize privilidges??*
From my reading I believe that using the mod_auth_kerb module for Apache in
Negotiation mode may be the best bet for my needs but am hoping to confirm
whether or not a php script on the same apache server can gain access to the
users username in order to ascertain roles from a database, where I am quite
happy to duplicate usernames if need be.

If this scenario is not possible, can anyone offer suggestions as to a
viable method to implement such a web application.

Thanks in advance!
George
Ali, Saqib
2007-06-07 14:02:49 UTC
Permalink
Use SPNEGO for kerberos authentication for web apps. And the username
will be set in the REMOTE_HTTP_USER server variable



saqib
http://www.full-disk-encryption.net
Post by Steve Webb
Hello,
I have been requested to build a web app for my medium sized organization
that currently have Kerberos 5 running on the network. The webapp will
require non-technical users to be able to log on remotely through a web
browser (IE only is fine but there must not be any other client programs
involved) and then be given different privilidges within the app depending
on their role.
Being a newbie to kerberos I have done some reading about possible
implementation techniques for Kerberos in web apps but have one question I
*Q. Can Kerberos be used to authenticate users and a php script then given
access to a users username in order to authorize privilidges??*
From my reading I believe that using the mod_auth_kerb module for Apache in
Negotiation mode may be the best bet for my needs but am hoping to confirm
whether or not a php script on the same apache server can gain access to the
users username in order to ascertain roles from a database, where I am quite
happy to duplicate usernames if need be.
If this scenario is not possible, can anyone offer suggestions as to a
viable method to implement such a web application.
Thanks in advance!
George
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net
s***@gmail.com
2007-06-07 14:24:12 UTC
Permalink
Post by Steve Webb
*Q. Can Kerberos be used to authenticate users and a php script then given
access to a users username in order to authorize privilidges??*
From my reading I believe that using the mod_auth_kerb module for Apache in
Negotiation mode may be the best bet for my needs but am hoping to confirm
whether or not a php script on the same apache server can gain access to the
users username in order to ascertain roles from a database, where I am quite
happy to duplicate usernames if need be.
mod_auth_kerb works great in the right conditions. You must be using
IE or a newer Firefox. Linux works great (not sure about other Unix
systems). On Windows the two browsers can only acquire credentials
from the LSA which means the workstation needs to be joined to a
domain, I believe.
Post by Steve Webb
From the server side, when Apache authenticates a user, it sets the
environment variable REMOTE_USER to the full principal name, so PHP
can get it from $_SERVER['REMOTE_USER'].
Christopher D. Clausen
2007-06-07 14:38:07 UTC
Permalink
Post by s***@gmail.com
On Windows the two browsers can only acquire credentials
from the LSA which means the workstation needs to be joined to a
domain, I believe.
That isn't true. You can configure FireFox on Windows to use
credentials from Kerberos for Windows ccaches instead of using
Microsoft's Kerberos. Just set
network.negotiate-auth.using-native-gsslib to false in about:config

<<CDC
Simon Wilkinson
2007-06-08 08:00:09 UTC
Permalink
On 7 Jun 2007, at 15:24, " " <slushpupie at gmail.com>
Post by s***@gmail.com
mod_auth_kerb works great in the right conditions. You must be using
IE or a newer Firefox. Linux works great (not sure about other Unix
systems). On Windows the two browsers can only acquire credentials
from the LSA which means the workstation needs to be joined to a
domain, I believe.
It works with both recent Opera and Safari too, for some definition
of works.

Where you hit problems is where the name of your webserver is not the
hostname of your machine. Different browsers handle this situation in
different ways. Some (Firefox) use the DNS to canonicalise the name -
so meaning that you (should) always see GSSAPI requests for HTTP/
<hostname> principals. Others (Safari) use the name as entered by the
user with no canonicalisation.

Ultimately, this means you may need to have a keytab containing
multiple different prinicpals for your service, and have
mod_auth_kerb accept any one of these principals. Unfortunately, the
code isn't there to do that in current mod_auth_kerb's. Russ posted a
patch by iterating through every key in the keytab - that should be
available from the mod_auth_kerb mailing list. I also have a simpler
patch that uses the new behaviour of gss_accept_sec_context when the
server credentials are set to GSS_C_NO_CREDENTIAL, that I must
contribute upstream.

Cheers,

Simon.
Michael B Allen
2007-06-08 16:34:19 UTC
Permalink
On Fri, 8 Jun 2007 09:00:09 +0100
Post by Simon Wilkinson
Ultimately, this means you may need to have a keytab containing
multiple different prinicpals for your service, and have
mod_auth_kerb accept any one of these principals. Unfortunately, the
code isn't there to do that in current mod_auth_kerb's.
This seems odd to me. The krb5 lib should automatically seek out the
right key by searching for the desired principal, enctype and kvno.

I have tested this. The setup script for our product will generate a
keytab with an entry for each SPN mapped to the Windows account. Then
you can use any one of those hostnames and it works equally well.

What is it that mod_auth_kerb is doing differently?

Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Simon Wilkinson
2007-06-08 17:14:38 UTC
Permalink
Post by Michael B Allen
On Fri, 8 Jun 2007 09:00:09 +0100
Post by Simon Wilkinson
Ultimately, this means you may need to have a keytab containing
multiple different prinicpals for your service, and have
mod_auth_kerb accept any one of these principals. Unfortunately, the
code isn't there to do that in current mod_auth_kerb's.
This seems odd to me. The krb5 lib should automatically seek out the
right key by searching for the desired principal, enctype and kvno.
No, that's not how it works if you specify a principal when you call
gss_accept_sec_context. When a principal is specified the library
will only accept incoming connections which are directed at that
principal.

mod_auth_kerb specifies HTTP/<gethostname()> as its acceptor
principal, unless you override that with a mod_auth_kerb
configuration directive, and even then you can only change it to use
a different, single, principal. Historically, that's the best you
could do with MIT Kerberos, unless you open the keytab, parse it to
extract principal names, and call gss_accept_sec_context with each of
them until it works.

Recent MIT libraries (for some value of recent - I'm not sure when
the code went in) allow you to pass GSS_C_NO_CREDENTIAL in to the
gss_accept_sec_context routine, so that it will accept any principal
in the keytab. I suspect that this is the behaviour you are relying
on - but mod_auth_kerb doesn't invoke the GSSAPI library in this way,
and so doesn't have that feature.

Aside: If you're using a single, general purpose, keytab you almost
certainly _don't_ want the GSS_C_NO_CREDENTIAL behaviour - you want
to be sure that your ssh service will only accept 'host/' principals,
for example.

Cheers,

Simon.
Michael B Allen
2007-06-08 17:58:46 UTC
Permalink
On Fri, 8 Jun 2007 18:14:38 +0100
Post by Simon Wilkinson
Aside: If you're using a single, general purpose, keytab you almost
certainly _don't_ want the GSS_C_NO_CREDENTIAL behaviour - you want
to be sure that your ssh service will only accept 'host/' principals,
for example.
Ahh, ok. But why is using GSS_C_NO_CREDENTIAL a problem exactly? If the
key is good the key is good no?

Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Russ Allbery
2007-06-08 18:23:05 UTC
Permalink
mod_auth_kerb specifies HTTP/<gethostname()> as its acceptor principal,
unless you override that with a mod_auth_kerb configuration directive,
and even then you can only change it to use a different, single,
principal.
I submitted a patch to fix this eons ago that I thought they accepted.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
Michael B Allen
2007-06-07 15:53:43 UTC
Permalink
On Thu, 7 Jun 2007 23:16:26 +1000
Post by Steve Webb
Hello,
I have been requested to build a web app for my medium sized organization
that currently have Kerberos 5 running on the network. The webapp will
require non-technical users to be able to log on remotely through a web
browser (IE only is fine but there must not be any other client programs
involved) and then be given different privilidges within the app depending
on their role.
Being a newbie to kerberos I have done some reading about possible
implementation techniques for Kerberos in web apps but have one question I
*Q. Can Kerberos be used to authenticate users and a php script then given
access to a users username in order to authorize privilidges??*
From my reading I believe that using the mod_auth_kerb module for Apache in
Negotiation mode may be the best bet for my needs but am hoping to confirm
whether or not a php script on the same apache server can gain access to the
users username in order to ascertain roles from a database, where I am quite
happy to duplicate usernames if need be.
If this scenario is not possible, can anyone offer suggestions as to a
viable method to implement such a web application.
Hi Steve,

If you're using AD and your web server is Linux, there's a product that
is specifically designed for this sort of thing. It's called Plexcel:

http://www.ioplex.com/plexcel.html

Plexcel will authenticate clients using Kerberos 5 / SPENGO / Single
Sign-On (SSO) but users can also authenticate using explicit credentials
(e.g. if they're not logged into the domain). You have access to all
of the user's information within the script and you can check to see
if they're in different Windows groups. You can set passwords, create accounts,
whatever.

You can find detailed API documentation here:

http://www.ioplex.com/api/plexcel_new.html

Also, it's free for up to 25 users.

If you have any more questions feel free to contact our support email
directly.

Or you could use mod_auth_kerb to do the authentication and then use the
PHP ldap API to check group membership but you'll find a few limitations
in this solution.

Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Loading...