|
Included on this page:
Using the "getcred" login flavor, trusted application servers can
request Kerberos credentials for 3-tier authentication scenarios. This
feature works along side of the "basic" login flavor and is only
meaningful for sites with Kerberos 5 underpinings.
Support for the "getcred" login flavor comes for free; you don't
actually have to do anything to build it in. But it won't do anything
without the Kerberos 5 verifier, so
be sure to build it in using the --enable-krb5 configure
option.
To enable Kerberos credential passing in the login cgi, add the
save_credentials variable to your config file and adjust the
default_realm and append_realm variables as needed. For
example:
# kerberos verifier config
basic_verifier: kerberos_v5
kerberos5_service_name: pubcookie
kerberos5_keytab: /usr/local/pubcookie/keys/pubcookie.keytab
save_credentials: t
getcred_authz_file: /usr/local/pubcookie/getcred_authz
default_realm: MYREALM.EXAMPLE.EDU
append_realm: true
The getcred_authz text file defines which application
servers are allowed to request credentials from the "getcred"
flavor. Lines in this file have the following form:
hostname.myrealm.example.edu SERVICE/servicehost.myrealm.example.edu OK
But you can use wildcards. For example:
webmail.myrealm.example.edu imap/* OK
my.example.edu imap/* OK
portal-dev?.myrealm.example.edu imap/* OK
cgi.myrealm.example.edu adm/* OK
superdebug.myrealm.example.edu */* OK
This would allow a webmail server and a portal server to request
IMAP service tickets; possibly more than one portal development servers
(e.g., portal-dev1 and portal-dev2) to request IMAP service tickets; a
dedicated CGI server to get ADM tickets (used for self-service quota
setting); and your site administrator's personal test server to get any
service ticket.
Sites with a login server that support the "getcred" login flavor
can configure the module to request additional Kerberos credentials for
3-tier authentication scenarios.
To configure the module to request that it be sent Kerberos
credentials, configure the AuthType to specify your "getcred" login
flavor and use the directive to specify the service
ticket you want. For example:
<Location "/test">
AuthType getcred
require valid-user
PubcookieAddlRequest cred_target=adm/admin.myrealm.example.edu
</Location> |
When someone navigates to the test directory, they will be sent off
to the login server to get a Kerberos 5 service ticket for
adm/admin.myrealm.example.edu.
You can request multiple tickets with the following syntax:
<Location "/webmail">
AuthType getcred
Require valid-user
PubCookieAddlRequest cred_target=imap/imap.myrealm.example.edu;smtp/smtp.myrealm.example.edu
</Location> |
Here whenever one navigates to the webmail directory, they'll be
sent to the login server and to get both IMAP and SMTP tickets,
presumably so they can read and send mail authenticated thru the
webmail application.
Kebereros tickets passed via the "getcred" flavor are stored in a
separate Pubcookie session cookie on the application server. They are
exposed to an application by means of a temporary file whose location is
defined by the KRB5CCNAME environment variable (usually
/tmp/k5cc_(pid)_(userid)). An application can retrieve the service
ticket from this file and pass it as a credential to authenticate to
appropriate services. Once the request has been handled the temporarily
cached credentials are removed by the module.
|
![[Pubcookie Home Page]](/img/41x35-rings-only.gif){kind=small}
