Maintenance script: Created page with " === Goal === The main idea here is to find a solution to secure machine profiles with Kerberos using Apache + mod_kerb on the AII server. For the moment, ccm-fetch is don..."

2015-08-26T12:28:18Z

Created page with " === Goal === The main idea here is to find a solution to secure machine profiles with Kerberos using Apache + mod_kerb on the AII server. For the moment, ccm-fetch is don..."

New page

=== Goal ===
The main idea here is to find a solution to secure machine profiles with Kerberos using Apache + mod_kerb on the AII server.

For the moment, ccm-fetch is done through SSL on the server side, with authentication of machines by their SSL certificate on the client side.

We could simplify a bit the profile fetching process by allowing machines to authenticate thanks to their own Kerberos keytab. This would eliminate the need for machines to have an SSL certificate.

=== Configuring the Apache server ===
We were inspired by these pages :

http://www.microhowto.info/howto/configure_apache_to_use_kerberos_authentication.html

http://www.microhowto.info/howto/add_a_host_or_service_principal_to_a_keytab_using_mit_kerberos.html

==== Defining an HTTP directory protected by Kerberos ====
Create a file /etc/httpd/conf.d/auth_kerb.conf with the following content :
<pre>
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Location /private>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms WN.IIHE.AC.BE
Krb5KeyTab /etc/httpd/conf/aiisrv.keytab
require valid-user
</Location>
</pre>

In the Apache location, create a simple text file (file.txt) that will be used during tests.
==== Creation of a service principal for HTTP on the AII server ====
To do this, use the FreeIPA web interface (tab "Indentity" > "Services"). The HTTP service principal should be :
<pre>
HTTP/aiisrv.wn.iihe.ac.be@WN.IIHE.AC.BE
</pre>

==== Creation of a keytab for the Apache service ====
Use the freeipa command "ipa-getkeytab" :
<pre>
ipa-getkeytab -s freeipa.wn.iihe.ac.be -k /etc/httpd/conf/aiisrv.keytab -p HTTP/aiisrv.wn.iihe.ac.be@WN.IIHE.AC.BE
</pre>

=== Testing ===

Of course, these tests must done from a machine that is already in the Kerberos realm.

==== Using curl ====
First, you need to create a valid Kerberos ticket. As root, you can always do this with the command :
<pre>
kinit -k -t /etc/krb5.keytab
</pre>
Now, try this :
<pre>
curl --negotiate http://aiisrv.wn.iihe.ac.be/private/test.txt
</pre>

==== Using ccm-fetch ====
For ccm to be able to download profiles with "negotiate", you need first to install the following Perl module and copy it in the right place :
<pre>
wget http://search.cpan.org/~agrolms/LWP-Authen-Negotiate-0.06/lib/LWP/Authen/Negotiate.pm
cp -a Negotiate.pm /usr/share/perl5/LWP/Authen/
</pre>
On the AII server, copy the machine profile to the /private HTTP location, and on the machine where you will do your test, modify the /etc/ccm.conf file so that it contains the following line :
<pre>
profile http://qclig.wn.iihe.ac.be/private/profile_node19-1.wn.iihe.ac.be.xml
</pre>
And then, run ccm-fetch.

=== Remarks ===
In the solution we have described on this page, we have removed SSL from the server side for the sake of simplicity, but doing this, the communication between the client and the server is not encrypted anymore !

There is a [https://github.com/quattor/CCM/issues/54 discussion] in the Quattor GitHub, about Kerberos and CCM. One interesting solution (that is used by MS) would be to encrypt the profile in such a way that a machine can only decrypt its own profile, and not others...

{{TracNotice|{{PAGENAME}}}}

CCMWithKerberos - Revision history

Maintenance script: Created page with " === Goal === The main idea here is to find a solution to secure machine profiles with Kerberos using Apache + mod_kerb on the AII server. For the moment, ccm-fetch is don..."