Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

SPNEGO HTTP Authentication Module for nginx

branch: master

This branch is 0 commits ahead and 0 commits behind master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 spnegohelp
Octocat-spinner-32 ChangeLog
Octocat-spinner-32 LICENSE
Octocat-spinner-32 Makefile
Octocat-spinner-32 README
Octocat-spinner-32 TODO
Octocat-spinner-32 config
Octocat-spinner-32 ngx_http_auth_spnego_module.c
README
Nginx module to use SPNEGO+GSSAPI+Kerberos for HTTP authentication
==================================================================

Foreword From Mike
------------------
Michael Shadle paid YoctoPetaBorg from RentACoder to develop this extension.

YPB's notes are what make up the rest of this document.

I (Michael Shadle) have tried to string replace and rename this to be called
"ngx_http_auth_spnego_module" instead of the previous "ngx_http_auth_sso_module" name.

There may be some oddities due to this. Hopefully not.

mike503@gmail.com

Whatsizit
---------

Code 97% stolen from mod_auth_gss_krb5 (http://modgssapache.sf.net);
version 0.0.5.

Compilation
-----------

First you need to compile the spnegohelp dynamic library. 'make' in that
subdirectory should do it, then place it by hand somewhere where linker
and loader can find it by default (probably /usr/lib or perhaps even
/usr/local/lib depending on your setup).

When compiling from source build as usual adding the --add-module option:

  ./configure --add-module=$PATH_TO_MODULE

inside top Nginx source directory.

Configuration
-------------

The module has following directives:

- auth_gss: "on"/"off", for ease of unsecuring while leaving other
  options in the config file,

- auth_gss_realm: what Kerberos realm name to use, for now only used to
  remove it from full user@realm.name,

- auth_gss_keytab: absolute path-name to keytab file containing service
  credentials,

- auth_gss_service_name: what service name to use when acquiring
  credentials. (TOFIX: HTTP but should be a list in case of some other
  browsers wanting perhaps khttp or http)

TOFIX: for now they are all merely location specific. i.e. no way to
specify main or per server defaults, except for ...

Examples
--------

... current "hardcodeds" ;-}

location /topsecret {
  auth_gss on;
  auth_gss_realm LOCALDOMAIN;
  auth_gss_keytab /etc/krb5.keytab;
  auth_gss_service_name HTTP;
}

Additional steps...
-------------------

pray for no segfaults...

TOFIX: perhaps add instructions on how to create the service keytab...
Something went wrong with that request. Please try again.