Apache Web Server using TLS, PAM, and Kerberos:

Using the appropriate Apache module, you can have usernames & passwords authenticated against a Kerberos realm. There are several methods for doing this, such as GSS-API-enabled browsers and Apache modules, and using TLS-encrypted PLAIN AUTH sessions that authenticate via PAM, which is configured to use pam_krb5.

This example uses TLS-encrypted PLAIN AUTH sessions to authenticate via a Kerberos KDC. Here is how I setup such a service with Apache 2 and mod_auth_pam on Red Hat 9:

Step 1: Environment & Prerequisites:

Red Hat 9 with the following components:

• httpd-2.0.40-21.9
• httpd-devel-2.0.40-21.9      ** May be necessary, contains APXS
• krb5-devel-1.2.7-14
• krb5-libs-1.2.7-14
• krb5-workstation-1.2.7-14
• pam-0.75-48
• pam-devel-0.75-48          ** This package is necessary to compile
• pam_krb5-1.60-1
• mod_auth_pam

Network authentication is handled by two centralized MIT Kerberos 5 servers, naming handled by NIS master and slave.

You should also already have a working Apache TLS/SSL setup. A short HOWTO can be found at www.vanemery.com.

Step 2: Installation:

mod_auth_pam can be obtained from PAM.SourceForge.Net . My instructions pretty much follow the instructions found on the SourceForge website:

Download mod_auth_pam-2.0-1.1.1.tar.gz, then gunzip and untar it. Then do this:

# cd mod_auth_pam*
# make 
# make install

This will compile and install the module. These new modules will appear in /usr/lib/httpd/modules:

mod_auth_pam.so
mod_auth_sys_group.so

Step 3: Configuration

/etc/httpd/conf/httpd.conf

Assuming that you already have a working Apache config, you will need to modify httpd.conf.  Add the following entries under the "Dynamic Shared Object (DSO) Support" section:

LoadModule auth_pam_module modules/mod_auth_pam.so
LoadModule auth_sys_group_module modules/mod_auth_sys_group.so

/etc/httpd/conf.d/ssl.conf

Assuming you have properly setup and tested your SSL certificates, keys, and basic configuration file, here are the configuration statements that I added to protect the /var/www/tls/tpk5 directory tree:

<Directory "/var/www/tls/tpk5">
        AuthType Basic
        AuthName "Kerb 5 Username and Password Required"
        Require valid-user

        AllowOverride None
</Directory>

Note:  /var/www/tls is the document root for my Apache https server.

/etc/pam.d/httpd

To allow HTTP authentication based on the Kerberos 5 PAM module, this is how I setup my httpd config file:

#%PAM-1.0

auth        required    /lib/security/$ISA/pam_env.so
auth        sufficient  /lib/security/$ISA/pam_krb5.so minimum_uid=5000
auth        required    /lib/security/$ISA/pam_deny.so

account     required    /lib/security/$ISA/pam_krb5.so

After the configuration changes, Apache must be restarted.

Step 4: Testing:

Now, you can test the setup. Point a browser at the web server and use the following URL:

https://hork.yourdomain.net/tpk5/test.html , where "test.html" is any HTML file that you have dropped into the protected directory.

Here is what we see in the logs for a successful authentication:

/var/log/messages: 

Mar 30 09:51:32 hork httpd: pam_krb5: authentication succeeds for `van1'

/var/log/httpd/ssl_access_log

10.10.22.41 - hork [30/Mar/2004:09:51:32 +0800] "GET /tpk5/test.html HTTP/1.1" 200 13692

Here is what we see on the active KDC in the /var/log/krb5kdc.log file:

09:51:32 das-m.kerb.org krb5kdc[25165](info): AS_REQ (3 etypes{16 3 1}) 10.10.22.41(88): ISSUE: authtime 10806, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
09:51:32 das-m.kerb.org krb5kdc[25165](info): AS_REQ (3 etypes{16 3 1}) 10.10.22.41(88): ISSUE: authtime 10806, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]

Here is what we see in the logs for an unsuccessful authentication:

/var/log/messages:

Mar 30 10:26:43 demo2 httpd: pam_krb5: authenticate error: Decrypt integrity check failed (-1765328353)
Mar 30 10:26:43 demo2 httpd: pam_krb5: authentication fails for `kitty'

/var/log/httpd/ssl_error_log

[Tue Mar 30 10:26:43 2004] [error] [client 10.10.22.41] PAM: user 'kitty' - not authenticated: 
Authentication failure, referer: https://hork.yourdomain.net/

Final Notes:

From watching a packet analyzer, it appears as if two Kerberos 5 requests are issued for every page request in the protected directory of the server. This is just an example of how you can use PAM + Kerberos + TLS to authenticate users, it is not an industrial-strength tested solution. Your mileage may vary!

Also, there is another Apache module called mod_auth_kerb. It can be installed and used with Kerberized browsers.