Use mod_auth_gssapi instead of mod_auth_kerb

Change configuration on new installs only.

Enable GssapiLocalName so we have access to the local name in
REMOTE_USER and the full principle in GSS_NAME.

Enable GssapiSSLonly even though SSLRequireSSL is also set.
The belt and suspenders principla.

https://fedorahosted.org/ipsilon/ticket/89

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>

diff --git a/README b/README
index dc4dae8..8b4f291 100644 (file)
--- a/README
+++ b/README
@@ -29,8 +29,8 @@ Prerequisites:
 - An unprivileged user to run the Ipsilon code (defaults to 'ipsilon')
 
 Currently there are only two available authentication modules, Kerberos and
-PAM. The Kerberos module uses mod_auth_kerb (which it will configure for you at
-install time), the Pam module simply uses the PAM stack with a default service
+PAM. The Kerberos module uses mod_auth_gssapi (which it will configure for
+you at install time), the Pam module simply uses the PAM stack with a default service
 name set to 'remote'.
 
 NOTE: The PAM module is invoked as an unprivileged user so if you are using the

diff --git a/contrib/fedora/ipsilon.spec b/contrib/fedora/ipsilon.spec
index 8be5f40..335c61b 100644 (file)
--- a/contrib/fedora/ipsilon.spec
+++ b/contrib/fedora/ipsilon.spec
@@ -183,20 +183,20 @@ Provides a login plugin to authenticate against the local PAM stack
 
 
 %package authkrb
-Summary:        mod_auth_kerb based login plugin
+Summary:        mod_auth_gssapi based login plugin
 Group:          System Environment/Base
 License:        GPLv3+
 Requires:       %{name} = %{version}-%{release}
-Requires:       mod_auth_kerb
+Requires:       mod_auth_gssapi
 BuildArch:      noarch
 
 %description authkrb
-Provides a login plugin to allow authentication via the mod_auth_kerb Apache
-module.
+Provides a login plugin to allow authentication via the mod_auth_gssapi
+Apache module.
 
 
 %package authldap
-Summary:        mod_auth_kerb based login plugin
+Summary:        LDAP info and login plugin
 Group:          System Environment/Base
 License:        GPLv3+
 Requires:       %{name} = %{version}-%{release}

diff --git a/doc/design.txt b/doc/design.txt
index 44699c5..08830d2 100644 (file)
--- a/doc/design.txt
+++ b/doc/design.txt
@@ -29,7 +29,7 @@ Architecture
 
 Ipsilon is mostly a web service builtin in python on the cherrypy framework.
 It is normally installed and run in an apache server and some plugins depend
-on authentication modules available in apache like mod_auth_kerb.
+on authentication modules available in apache like mod_auth_gssapi.
 
 Each authentication method is chained to the next in line so that automatic
 fallback can happen and multiple authentication methods can be employed at

diff --git a/ipsilon/login/authkrb.py b/ipsilon/login/authkrb.py
index 60eeb6b..6fc0c53 100644 (file)
--- a/ipsilon/login/authkrb.py
+++ b/ipsilon/login/authkrb.py
@@ -53,7 +53,7 @@ class KrbError(LoginPageBase):
 
     def root(self, *args, **kwargs):
         cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers)
-        # If we have no negotiate header return whatever mod_auth_kerb
+        # If we have no negotiate header return whatever mod_auth_gssapi
         # generated and wait for the next request
 
         if 'WWW-Authenticate' not in cherrypy.request.headers:
@@ -81,8 +81,8 @@ class LoginManager(LoginManagerBase):
         self.path = 'krb/negotiate'
         self.page = None
         self.description = """
-Kereros Negotiate authentication plugin. Relies on the mod_auth_kerb apache
-plugin for actual authentication. """
+Kerberos Negotiate authentication plugin. Relies on the mod_auth_gssapi
+apache plugin for actual authentication. """
         self.new_config(self.name)
 
     def get_tree(self, site):
@@ -96,16 +96,11 @@ plugin for actual authentication. """
 CONF_TEMPLATE = """
 
 <Location /${instance}/login/krb/negotiate>
-  AuthType Kerberos
-  AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  $realms
+  AuthType GSSAPI
+  AuthName "GSSAPI Single Sign On Login"
   $keytab
-  KrbSaveCredentials off
-  KrbConstrainedDelegation off
-  # KrbLocalUserMapping On
+  GssapiSSLonly $gssapisslonly
+  GssapiLocalName on
   Require valid-user
 
   ErrorDocument 401 /${instance}/login/krb/unauthorized
@@ -124,8 +119,6 @@ class Installer(LoginManagerInstaller):
     def install_args(self, group):
         group.add_argument('--krb', choices=['yes', 'no'], default='no',
                            help='Configure Kerberos authentication')
-        group.add_argument('--krb-realms',
-                           help='Allowed Kerberos Auth Realms')
         group.add_argument('--krb-httpd-keytab',
                            default='/etc/httpd/conf/http.keytab',
                            help='Kerberos keytab location for HTTPD')
@@ -137,14 +130,15 @@ class Installer(LoginManagerInstaller):
         confopts = {'instance': opts['instance']}
 
         if os.path.exists(opts['krb_httpd_keytab']):
-            confopts['keytab'] = '  Krb5KeyTab %s' % opts['krb_httpd_keytab']
+            confopts['keytab'] = 'GssapiCredStore keytab:%s' % (
+                opts['krb_httpd_keytab'])
         else:
             raise Exception('Keytab not found')
 
-        if opts['krb_realms'] is None:
-            confopts['realms'] = '  # KrbAuthRealms - Any realm is allowed'
+        if opts['secure'] == 'no':
+            confopts['gssapisslonly'] = 'Off'
         else:
-            confopts['realms'] = '  KrbAuthRealms %s' % opts['krb_realms']
+            confopts['gssapisslonly'] = 'On'
 
         tmpl = Template(CONF_TEMPLATE)
         hunk = tmpl.substitute(**confopts)  # pylint: disable=star-args