Kerberos and Apache reverse proxy

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos and Apache reverse proxy

Jaap Winius-2

Hi folks,

Is Kerberos authentication for a web service still possible if that  
service is placed behind an Apache reverse proxy that also happens to  
use Kerberos authentication?

I'd like to do this for a MediaWiki server that already uses Kerberos  
authentication, but I suspect that doing so would break that  
mechanism, thus preventing users from automatically logging into their  
wiki accounts.

Is this assumption correct?

Thanks,

Jaap

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and Apache reverse proxy

Jaap Winius-2

Quoting Dmitri Pal <[hidden email]>:

> It should not. The Kerberos authenticated users should just map to existing
> users.
> See mod_auth_gssapi for more details.
> https://github.com/modauthgssapi/mod_auth_gssapi/blob/master/README

It's great to hear that a solution like this exists, but as my luck  
would have it, mod_auth_gssapi, which is included in the Debian  
package libapache2-mod-auth-gssapi, is not available for Debian  
wheezy, and this is the OS that my MediaWiki server is still running  
on. So currently, if I access the MediaWiki server directly, all is  
fine. But if I attempt to access it through the proxy, the proxy's  
Apache error.log says:

   [Sat Jul 14 00:44:41.794483 2018] [access_compat:error] [pid 25847]  
[client 72.85.26.20:39214] \
   AH01797: client denied by server configuration:  
proxy:http://192.168.20.22/mediawiki

While over on the backend MediaWiki server, the Apache error.log says:

   [Sat Jul 14 01:44:41 2018] [error] [client 185.57.111.47]  
gss_accept_sec_context() failed: \
   Unspecified GSS failure.  Minor code may provide more information (, )

It looks like this is where I could really use mod_auth_gssapi on the  
backend, but alas. Might anyone know of a workaround, or another  
package that I could use instead?

Thanks,

Jaap

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and Apache reverse proxy

Dmitri Pal
Hello,

You can use an older package called mod_auth_kerb.
It is not recommended as mod_auth_gssapi much better but if you distro does
not have it you might not have a choice.

Thanks
Dmitri

On Fri, Jul 13, 2018 at 8:25 PM, Jaap Winius <[hidden email]> wrote:

>
> Quoting Dmitri Pal <[hidden email]>:
>
> It should not. The Kerberos authenticated users should just map to existing
>> users.
>> See mod_auth_gssapi for more details.
>> https://github.com/modauthgssapi/mod_auth_gssapi/blob/master/README
>>
>
> It's great to hear that a solution like this exists, but as my luck would
> have it, mod_auth_gssapi, which is included in the Debian package
> libapache2-mod-auth-gssapi, is not available for Debian wheezy, and this is
> the OS that my MediaWiki server is still running on. So currently, if I
> access the MediaWiki server directly, all is fine. But if I attempt to
> access it through the proxy, the proxy's Apache error.log says:
>
>   [Sat Jul 14 00:44:41.794483 2018] [access_compat:error] [pid 25847]
> [client 72.85.26.20:39214] \
>   AH01797: client denied by server configuration: proxy:
> http://192.168.20.22/mediawiki
>
> While over on the backend MediaWiki server, the Apache error.log says:
>
>   [Sat Jul 14 01:44:41 2018] [error] [client 185.57.111.47]
> gss_accept_sec_context() failed: \
>   Unspecified GSS failure.  Minor code may provide more information (, )
>
> It looks like this is where I could really use mod_auth_gssapi on the
> backend, but alas. Might anyone know of a workaround, or another package
> that I could use instead?
>
> Thanks,
>
> Jaap
>
>


--

Thank you,
Dmitri Pal

Engineering Director, Identity Management and Platform Security
Red Hat, Inc.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and Apache reverse proxy

Jaap Winius-2

Quoting Dmitri Pal <[hidden email]>:

> You can use an older package called mod_auth_kerb.
> It is not recommended as mod_auth_gssapi much better but if you distro does
> not have it you might not have a choice.

Sorry, but I neglected to say that I already had  
libapache2-mod-auth-kerb installed on both servers; it's what I've  
been using for some time to support Kerberos authentication for  
directly connected users. But, I guess that package is just not good  
enough for the proxy configuration that I have in mind.

Cheers,

Jaap

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and Apache reverse proxy

Dmitri Pal
I am sorry I missed the proxy aspect in you original mail.

But proxy with Kerberos in general is not a simple thing to do and should
be avoided.
Some hints on how to deal with proxy if you want Kerberos to work can be
found here.
https://ssimo.org/blog/id_019.html
I am not sure whether they are applicable to your situation or not.

The user service ticket needs to get to your actual wiki and it should
match the wiki service principal and key in the keytab.
If proxy gets in the way you will have issues.

What you can do is try KDC proxy instead of the reverse proxy.
https://github.com/latchset/kdcproxy/blob/master/README

Dmitri

On Fri, Jul 13, 2018 at 9:13 PM, Jaap Winius <[hidden email]> wrote:

>
> Quoting Dmitri Pal <[hidden email]>:
>
> You can use an older package called mod_auth_kerb.
>> It is not recommended as mod_auth_gssapi much better but if you distro
>> does
>> not have it you might not have a choice.
>>
>
> Sorry, but I neglected to say that I already had libapache2-mod-auth-kerb
> installed on both servers; it's what I've been using for some time to
> support Kerberos authentication for directly connected users. But, I guess
> that package is just not good enough for the proxy configuration that I
> have in mind.
>
> Cheers,
>
> Jaap
>
>


--

Thank you,
Dmitri Pal

Engineering Director, Identity Management and Platform Security
Red Hat, Inc.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and Apache reverse proxy

Jochen Hein
Dmitri Pal <[hidden email]> writes:

> Some hints on how to deal with proxy if you want Kerberos to work can be
> found here.
> https://ssimo.org/blog/id_019.html
> I am not sure whether they are applicable to your situation or not.

Thanks for the hint.

> What you can do is try KDC proxy instead of the reverse proxy.
> https://github.com/latchset/kdcproxy/blob/master/README

That's for getting a kerberos ticket from you KDC via HTTP instead of
port 88.  I guess it wouldn't help here.

Jochen

--
This space is intentionally left blank.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and Apache reverse proxy

Dmitri Pal
On Sat, Jul 14, 2018 at 6:51 AM, Jochen Hein <[hidden email]> wrote:

> Dmitri Pal <[hidden email]> writes:
>
> > Some hints on how to deal with proxy if you want Kerberos to work can be
> > found here.
> > https://ssimo.org/blog/id_019.html
> > I am not sure whether they are applicable to your situation or not.
>
> Thanks for the hint.
>
> > What you can do is try KDC proxy instead of the reverse proxy.
> > https://github.com/latchset/kdcproxy/blob/master/README
>
> That's for getting a kerberos ticket from you KDC via HTTP instead of
> port 88.  I guess it wouldn't help here.
>

​It depends how tickets are acquired and where the firewalls are. ​

>
> Jochen
>
> --
> This space is intentionally left blank.
>



--

Thank you,
Dmitri Pal

Engineering Director, Identity Management and Platform Security
Red Hat, Inc.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos