[OpenAFS] Combined AFS/Kerberos Apache 2 module

Kevin Hildebrand kevin@umd.edu
Thu, 3 Sep 2009 10:24:54 -0400 (EDT)


There's been a lot of discussion on the list about getting mod_auth_kerb, 
mod_waklog, filedrawers and CoSign all working together harmoniously under 
Apache 2.  I also struggled with this for a while, and eventually decided 
to do a major modification/rewrite to mod_auth_kerb so that it can address 
some of these concerns.

The new module I've called 'mod_afs_kerb' for the time being, anyway.  It 
is available here: 
http://www.glue.umd.edu/downloads/mod_afs_kerb/mod_afs_kerb.5.3.tar.gz

This module will:

1) do the initial kerberos authentication, via
    a) HTTP Basic Auth (over SSL)
    b) SPNEGO/GSSAPI
2) use existing credentials provided by an external module (CoSign)
3) obtain AFS tokens for the authenticating user as desired
4) cache credentials based on SSL session ID to limit AS traffic
5) work with Apache 2.

In addition, when obtaining AFS tokens, it's possible to do so before the 
Apache directory walk phase, which is a current limitation of mod_waklog.
This removes the requirement that the server itself must run with 
credentials, and doesn't require special directory ACLs.

When using this module, the use of mod_waklog is not required.


One caveat:  because we use Heimdal Kerberos, the AFS parts of this were 
written to use the Heimdal functions.  Someone will need to write a bit of 
code to make this work with MIT kerberos.  (See the afslog functions 
inside #ifdef HEIMDAL)  If there's enough interest, and no one else steps 
up, I can look at doing it.

Also note: As part of the rewrite, for simplicity and improved 
functionality, the existing Kerberos 4 and Apache 1 parts of the module 
have been removed.


Enjoy!

Kevin


---
Kevin Hildebrand
University of Maryland, College Park
Office of Information Technology