mod_auth_gssapi
mod_auth_gssapi copied to clipboard
Impersonate authenticated user with ProxyPass
Hi,
I try to get the option GssapiImpersonate working.
Situation: User -----> Apache Proxy --------> Service with Kerberos
My goal is that the user is authenticated on the proxy and the proxy the impersonates the user to provide access to the service. For the sake of simplicity currently the user should authenticate with Basic Auth to the proxy, but this could be replaced by some central auth with MFA or equal.
The docs for GssapiImpersonate state:
The principal of the user is retrieved from the internal r->user identifier which typically holds the username from the authentication results.
So if I understand this correctly: I have an Apache module which sets the variable r->user. mod_auth_gssapi then queries the KDC (in my case MS AD) and gets a kerberos ticket for the username from r->user
My problem is that I get a ticket for the username in GssapiDelegCcacheDir but the proxy request passes the Basic Auth header instead of a kerberos header.
My config: site.conf
<VirtualHost proxy.myproxydomain:80>
SSLProxyEngine On
ServerName proxy.myproxydomain
LogLevel debug
</VirtualHost>
<Location />
AuthType Basic
AuthName "SharedSecert-Auth"
AuthBasicProvider sharedsecret
AuthSharedSecret "pass"
GssapiImpersonate On
GssapiDelegCcacheDir /var/run/httpd/krbcache
GssapiUseS4U2Proxy Off
GssapiCredStore client_keytab:/etc/apache2/kerb.keytab
GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
GssapiCredStore keytab:/etc/apache2/kerb.keytab
GssapiUseSessions On
Session On
SessionCookieName gssapi_session path=/private;httponly;secure;
GssapiBasicAuth Off
GssapiAllowedMech krb5
Require valid-user
ProxyPass http://mybackendhost/
</Location>
(The auth module sharedsecret is this module: https://codeberg.org/HamburgerJungeJr/mod_authn_sharedsecret it just puts the username in r->user and accepts the same password for all users, so I dont have to add users for testing)
/etc/krb5.conf
[libdefaults]
default_realm = MYREALM
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
# permitted_enctypes = aes256-cts-hmac-sha1-96
[realms]
MYREALM = {
kdc = myadserver
admin_server = myadserver
}
[domain_realm]
.myproxydomain = MYREALM
myproxydomain = MYREALM
cache ticket - klist -c /var/run/httpd/krbcache/myuser@MYREALM (German system)
Ticketzwischenspeicher: FILE:myuser@MYREALM
Standard-Principal: myuser@MYREALM
Valid starting Expires Service principal
11.02.2023 15:35:22 12.02.2023 00:05:10 proxykeytabuser@MYREALM
erneuern bis 12.02.2023 14:05:10
11.02.2023 14:05:10 12.02.2023 00:05:10 krbtgt/MYREALM@MYREALM
für Client proxykeytabuser@MYREALM, erneuern bis 12.02.2023 14:05:10
I set the user to be allowed for delegation any authentication protocol on the AD.
Did I minsunderstand the function of GssapiImpersonate or do I have an error in my configuration?