Installing mod_auth_kerb (v. 4.x)

Contents

• Retrieving the module source
• Building mod_auth_kerb as a dso
• Building Apache with mod_auth_kerb
• Defines
• Other Compiling Notes
  • Linking with SSL
  • Building Stronghold

Retrieving the module source

The source can be downloaded off of the Project Site link to the left. If you grab the .zip or .tar.gz distributions, then they are expecting to be extracted at the root of the Apache source tree. It sets up the appropriate paths to have it compiled from within the source tree as indicated in all of the non-dso compile instructions on this page. The .c distribution is normally downloaded by those wishing to compile mod_auth_kerb as a dso.

Here is a direct link to the file download listing off the project page just in case you want to skip the middleman.

Building mod_auth_kerb as a dso

The easiest way to compile mod_auth_kerb is as a dso using apxs. It you compile it using apxs, all you have to do is (we'll assume apxs is in your path for this example):

apxs -c -DKRB5 -DKRB_DEF_REALM=\\\"EOS.NCSU.EDU\\\" \
  -I/usr/kerberos/include -L/usr/kerberos/lib -lkrb5 \
  -ldl -lcom_err -lk5crypto mod_auth_kerb.c

Building Apache with mod_auth_kerb

The first example is a simple example providing only KerberosV5 support and settings a default realm. I normally create two scripts to set up the environment appropriately, as follows:

doconfig

env 'LIBS=-L/usr/kerberos/lib -lkrb5 -lcrypto -lcom_err' \
   'CFLAGS=-DKRB5 -DKRB_DEF_REALM=\\\"EOS.NCSU.EDU\\\"' \
   'INCLUDES=-I/usr/kerberos/include' \
   ./configure --enable-module=cern_meta --enable-module=expires \
   --enable-module=headers --enable-module=info \
   --enable-module=rewrite --enable-module=status \
   --prefix=/local/httpd \
   --add-module=src/modules/kerberos/mod_auth_kerb.c

env 'LIBS=-L/usr/kerberos/lib -lkrb5 -lcrypto -lcom_err' \
   'CFLAGS=-DKRB5 -DKRB_DEF_REALM=\\\"EOS.NCSU.EDU\\\"' \
   'INCLUDES=-I/usr/kerberos/include' \
   make

Before we go into the explanation of the defines, I'd like to display my doconfig and docompile scripts, which include almost all of the supported functionality:

doconfig

env 'LIBS=-L/usr/kerberos/lib -lkrb524 -lkrb4 -lkrb5 \
/usr/kerberos/lib/libcrypto.a -lcom_err -L/local/ssl/lib \
-L/local/mm/lib -lrsaref /usr/athena/lib/libhesiod.a \
-lsocket -lresolv -lnsl' \
'INCLUDES=-I/usr/kerberos/include \
-I/usr/kerberos/include/kerberosIV -I/local/ssl/include \
-I/local/mm/include -I/usr/athena/include \
-I/local/src/rsaref/source' \
'CFLAGS=-DKRB5 -DKRB5_VERIFY_TICKET \
-DKRB_DEF_REALM=\\\"EOS.NCSU.EDU\\\" -DKRB5_SAVE_CREDENTIALS \
-DKRB4 -DKRB4_SAVE_TICKETS -DHESIOD' \
'SSL_BASE=/local/src/openssl-0.9.4' \
'RSA_BASE=/local/src/rsaref/comp' \
'EAPI_MM=/local/src/mm-1.0.9' \
./configure --enable-module=headers --enable-module=info \
        --enable-module=rewrite --prefix=/local/ap_krbtest \
        --enable-module=mime_magic --enable-module=ssl \
        --add-module=src/modules/kerberos/mod_auth_kerb.c \
        --add-module=src/modules/wrap/mod_auth_wrap.c

env 'LIBS=-L/usr/kerberos/lib -lkrb524 -lkrb4 -lkrb5 \
/usr/kerberos/lib/libcrypto.a -lcom_err -L/local/ssl/lib \
-L/local/mm/lib -lrsaref /usr/athena/lib/libhesiod.a \
-lsocket -lresolv -lnsl' \
'INCLUDES=-I/usr/kerberos/include \
-I/usr/kerberos/include/kerberosIV -I/local/ssl/include \
-I/local/mm/include -I/usr/athena/include \
-I/local/src/rsaref/source  -I/local/src/rsaref/source' \
'CFLAGS=-DKRB5 -DKRB5_VERIFY_TICKET \
-DKRB_DEF_REALM=\\\"EOS.NCSU.EDU\\\" -DKRB5_SAVE_CREDENTIALS \
-DKRB4 -DKRB4_SAVE_TICKETS -DHESIOD' \
'SSL_BASE=/local/src/openssl-0.9.4' \
'RSA_BASE=/local/src/rsaref/comp' \
'EAPI_MM=/local/src/mm-1.0.9' \
make

Defines

The following defines can be added to the CFLAGS line to add/alter functionality of the compiled module:

• APXS2 - Compile with support for the Apache 2.* api.
• KRB5 - Compile in Kerberos V5 support.
• KRB4 - Compile in Kerberos V4 support.
• HESIOD - Compile in Hesiod group check support. It allows you to use "require group hesgroupname" to check against a hesiod group, thereby allowing group based authentication instead of per-user based.
• DUAL_AUTH - While compiling in support for KRB5 and KRB4 will allow you to specify an AuthType of KerberosV5 and KerberosV4, DUAL_AUTH will do a 'double check'. Instead of only doing one, it will check against Kerberos V5, and if that fails, try Kerberos V4, or visa versa. You must also define both KRB5 and KRB4 for this to work effectively. Which version of Kerberos it tries first is determined by whatever the AuthType is set to.
• KRB5_SAVE_CREDENTIALS - Force mod_auth_kerb to keep the credential cache around after authentication. This is useful for cgi scripts that might need that credential cache. The cache is always named /tmp/krb5cc_%s where %s is the username that was authenticated against.
• KRB4_SAVE_TICKETS - Force mod_auth_kerb to keep the ticket file around after authentication. Similar to KRB5_SAVE_CREDENTIALS, except that it applies to Kerberos V4 instead of V5. The ticket file is named /tmp/apache_tkt_%s where %s is the username that was authenticated against.
• KRB5_VERIFY_TICKET - Force mod_auth_kerb to require a krb5 service ticket of www/hostname for the machine, to prevent KDC spoofing attacks. Principle should have a name of the form "www/ where is the fully-qualified hostname of the host where the httpd process is running. It must be the actual name as returned by the hostname command, not an alias.
• KRB_DEF_REALM - Specify the default Kerberos realm.
• KRB_V5_KEYTAB - Specifiy the Kerberos V5 keytab location.
• KRB_V4_SRVTAB - Specifiy the Kerberos V4 srvtab location.

Other Compiling Notes

Linking with SSL

• SSLeay's libcrypto redefines the DES functions needed by libkrb. When compiling V4 support with SSL, leave off the -ldes. This will likely cause "unix_time_gmt_unixsec" to not be defined. One way to take care of this problem is the following:
  • cd /tmp
  • cp /usr/kerberos/lib/libdes.a . (or libdes425.a if Kerberos V5)
  • ar x libdes.a
  • link unix_time.o into the apache binary by adding it to apache_1.3.6/src/Makefile on the OBJS line (about line 65) as the first item, right before modules.o
  • Thanks to Sean Fulton for pointing this out.
• If using V5 support, note that libkrb5 needs libcrypto. This causes serious conflicts with the SSL libcrypto library. The best way I found to get around this is to simply specify the full path to libcrypto. In my case, that makes the LIBS line look like:

      LIBS=-L/usr/kerberos/lib -lkrb5 \
          /usr/kerberos/lib/libcrypto.a -lcom_err
      

Building Stronghold

Thanks to David MacKenzie for the patches to allow mod_auth_kerb to be used with Stronghold. His instructions are as follows:

To compile this module under Stronghold 2.4.1, you need to prevent it
from including Stronghold's SSL include files.
To link it, you need to avoid a few library symbol conflicts.

Configure Stronghold as usual, with AddModule modules/extra/mod_auth_kerb.o
Don't add the Kerberos include or link directives to the
Stronghold Configuration file or configure arguments.

In include/httpd.h, add #ifdef STRONGHOLD around the last three
elements of struct conn_rec.
In include/ap_config_auto.h, comment out the #define STRONGHOLD.


Compile this module by hand omitting many of the standard command line
arguments; I used, on BSDI BSD/OS 3.1 with krb5:
 cd stronghold/src
 perl -p -i.dist -e 's/_des_ecb_encrypt/_Des_ecb_encrypt/g; \
    s/_des_is_weak_key/_Des_is_weak_key/g; \
    s/_des_key_sched/_Des_key_sched/g' ../ssl/lib/libcrypto.a
 cd modules/extra
 gcc -c -I/usr/local/krb5/include -I../../os/unix \
    -I../../include -O2 -DKRB5 mod_auth_kerb.c
 ld -r -o kerb.o mod_auth_kerb.o -L/usr/local/krb5/lib \
    -lkrb5 -lcrypto -lcom_err
 mv kerb.o mod_auth_kerb.o
 cd ../..
 make

For Kerberos V4:
 gcc -c -I/usr/include/kerberosIV -I../../os/unix \
         -I../../include -O2 -DKRB4 mod_auth_kerb.c
 ld -r -o kerb.o mod_auth_kerb.o -lkrb -ldes