SPNEGO HTTP Authentication Module for nginx
Pull request Compare This branch is 95 commits behind stnoonan:master.
Latest commit ba87108 Jun 10, 2010 @mike503 Minor typo in README


Nginx module to use SPNEGO+GSSAPI+Kerberos for HTTP authentication

Foreword From Mike
Michael Shadle paid YoctoPetaBorg from RentACoder to develop this extension.

YPB's notes are what make up the rest of this document.

I (Michael Shadle) have tried to string replace and rename this to be called
"ngx_http_auth_spnego_module" instead of the previous "ngx_http_auth_sso_module" name.

There may be some oddities due to this. Hopefully not.



Code 97% stolen from mod_auth_gss_krb5 (http://modgssapache.sf.net);
version 0.0.5.


First you need to compile the spnegohelp dynamic library. 'make' in that
subdirectory should do it, then place it by hand somewhere where linker
and loader can find it by default (probably /usr/lib or perhaps even
/usr/local/lib depending on your setup).

When compiling from source build as usual adding the --add-module option:

  ./configure --add-module=$PATH_TO_MODULE

inside top Nginx source directory.


The module has following directives:

- auth_gss: "on"/"off", for ease of unsecuring while leaving other
  options in the config file,

- auth_gss_realm: what Kerberos realm name to use, for now only used to
  remove it from full user@realm.name,

- auth_gss_keytab: absolute path-name to keytab file containing service

- auth_gss_service_name: what service name to use when acquiring
  credentials. (TOFIX: HTTP but should be a list in case of some other
  browsers wanting perhaps khttp or http)

TOFIX: for now they are all merely location specific. i.e. no way to
specify main or per server defaults, except for ...


... current "hardcodeds" ;-}

location /topsecret {
  auth_gss on;
  auth_gss_realm LOCALDOMAIN;
  auth_gss_keytab /etc/krb5.keytab;
  auth_gss_service_name HTTP;

Additional steps...

pray for no segfaults...

TOFIX: perhaps add instructions on how to create the service keytab...