WebAuth Notes

WebAuth is a wrapping of Kerberos authentication protocol within HTTP cookies. It implements single sign on, after entering a single password, users can vist multiple, independent web based services and be automatically and securely authenticated without the user being aware that this has happened.

WebAuth uses HTTPS/SSL to protect the content in both directions. Both the username/password pair used to log on and the resulting ticket granting ticket are "secret," the username/password pair more so since they are long-lived (typically 1 year) rather than short lived (typically 24 hours).

Contents:

1. Installation

1.1. Installing Kerberos

(Note: not needed on Scientific Linux 4.2)

Using WebAuth for an application requires access to a number of Kerberos utilities.

  1. Ensure GCC is installed:
    • {{{yum install gcc

}}}

  1. Download Kerberos software from http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.3-signed.tar. Homepage for Kerberos is http://web.mit.edu/kerberos/.

  2. Unpack Kerberos distribution to a working directory ~/tmp.

  3. In the working directory, run the following commands:
    • {{{./configure

make }}} Needs yacc.

  1. More? It turns out that Kerberos is already present in the standard Scientific Linux installation.

1.2. Configuring NTP

Kerberos needs NTP. Config file is /etc/ntp.conf:

######################################################################
#
# Sakai VRE demonstrator ntp.conf for RedHat Linux systems running ntpd.  
# Other machines will not be able to syncronize with this host,
# which reduces the chance ntpd will be exploited by an attacker.
# [Adapted from: http://cfm.gs.washington.edu/network/ntp/ntp/redhat-ntp.conf]
#
# Also consider denying incoming UDP traffic to port 123.
#
# http://www.ntp.org/ for additional information on NTP.

# deny-by-default policy
restrict default ignore
### restrict default nomodify notrap noquery

# syncronize with OUCS time servers (peer 3)
server ntp0.oucs.ox.ac.uk
server ntp2.oucs.ox.ac.uk

# Confiugure NTP access restrictions
# [From http://www.oucs.ox.ac.uk/network/ntp/index.xml.ID=body.1_div.7]

# by default ignore all ntp packets
#
restrict 0.0.0.0 mask 0.0.0.0 ignore

# allow unlimited access within zoo.ox.ac.uk
#
#  IP Address. . . : 129.67.24.47
#  Subnet Mask . . : 255.255.252.0
#
restrict 129.67.24.47 mask 255.255.252.0

# allow packets to arrive from OUCS time servers (unlimited)
# these IP addresses are correct at the time of writing but are subject to
# change.  Changes will be publicised on the itss-announce mailing list.
#
restrict 129.67.1.7 mask 255.255.255.255        # ntp0.oucs.ox.ac.uk
restrict 163.1.2.3  mask 255.255.255.255        # ntp1.oucs.ox.ac.uk
restrict 163.1.2.38 mask 255.255.255.255        # ntp2.oucs.ox.ac.uk
restrict 129.67.1.4 mask 255.255.255.255        # ntp3.oucs.ox.ac.uk

# the "local" address is unrestricted
# (This is a special 'internal' IP address used by the ntp software,
# without which the software will not function correctly)
#
restrict 127.0.0.1 mask 255.255.255.255

# Where did this come from?
# restrict ntp0.oucs.ox.ac.uk nomodify nopeer noquery notrap
# restrict ntp2.oucs.ox.ac.uk nomodify nopeer noquery notrap

# local fudge if network servers not available
server  127.127.1.0     # local clock
fudge   127.127.1.0 stratum 10

restrict 127.0.0.0 mask 255.0.0.0 nomodify nopeer noquery notrap

# track wander (leading directories will need to exist!)
driftfile /var/ntp/ntp.drift
###broadcastdelay       0.008

#
# Keys file.  If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
### keys                /etc/ntp/keys

To start the NTP daemon: {{{service ntpd start }}}

To configure the NTP daemon to start on system reboot {{{chkconfig --add ntpd chkconfig --level 345 ntpd on chkconfig --list ntpd }}}

1.3. Configuring Kerberos

Our file /etc/krb5.conf looks like this:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[libdefaults]
        default_realm = OX.AC.UK

[realms]
OX.AC.UK = {
        kdc = kdc0.ox.ac.uk
        kdc = kdc1.ox.ac.uk
        kdc = kdc2.ox.ac.uk
        admin_server = kdc-admin.ox.ac.uk
}

[domain_realm]
        .ox.ac.uk = OX.AC.UK
        ox.ac.uk = OX.AC.UK

See Oxford webAuth page: http://www.oucs.ox.ac.uk/webauth/index.xml.ID=body.1_div.3

2. Getting a principal

[root@sakai-vre-demo syeates]# kadmin -p syeates/itss
Authenticating as principal syeates/itss with password.
Password for syeates/itss@OX.AC.UK:
kadmin:  ktadd -k /etc/krb5.keytab webauth/sakai-vre-demo.oucs.ox.ac.uk
Entry for principal webauth/sakai-vre-demo.oucs.ox.ac.uk with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal webauth/sakai-vre-demo.oucs.ox.ac.uk with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  quit
[root@sakai-vre-demo syeates]# ls -lart /etc/krb5.keytab
-rw-------  1 root root 170 May 11 16:48 /etc/krb5.keytab
[root@sakai-vre-demo syeates]# more /etc/krb5.keytab

[root@sakai-vre-demo syeates]# file /etc/krb5.keytab
/etc/krb5.keytab: data

The keys are in binary and appear to be wrapped in such a way as not to appear when sent to the screen.

See the SPIE wiki on this: http://spie.oucs.ox.ac.uk/Wiki.jsp?page=WebAuth

3. Installing WebAuth

See: http://www.oucs.ox.ac.uk/webauth/index.xml.ID=body.1_div.3, http://webauth.stanford.edu/obtain.html

}}}

yum install openssl-devel yum install httpd-devel yum install curl-devel }}}

make }}}

}}}

make install exit }}}

LoadModule webauth_module modules/mod_webauth.so

# Set locations for various files used by mod_webauth WebAuthKeyring webauth/keyring WebAuthKeytab webauth/keytab WebAuthServiceTokenCache webauth/service_token_cache WebAuthCredCacheDir webauth/cred_cache

# Point to the Oxford Webauth service WebAuthLoginURL https://webauth.ox.ac.uk/login WebAuthWebKdcURL https://webauth.ox.ac.uk:8443/webkdc-service/ WebAuthWebKdcPrincipal service/webkdc@OX.AC.UK

# If you're having trouble switch on debugging WebAuthDebug on

# For each location that you want to protect using Webauth you should add a section like:

<Location /webauthtest/syeates>

</Location>

<Location /webauthtest/zool0635>

</Location> }}}

}}}

}}}

[notice] mod_webauth: initialized (3.5.0) (Built by syeates@sakai-vre-demo.oucs.ox.ac.uk on 2006-05-12 10:18:22 UTC) *** glibc detected *** double free or corruption (fasttop): 0x08120bd0 *** }}}

mkdir /var/lib/webauth chgrp apache /var/lib/webauth chmod g+rw /var/lib/webauth ln -s /var/lib/webauth /etc/httpd/webauth }}}

Creative Commons License
The content of this wiki is licensed under the Creative Commons Attribution-ShareAlike 2.0 England & Wales Licence.

OSS Watch is funded by the Joint Information Systems Committee (JISC) and is situated within the Research Technologies Service (RTS) of the University of Oxford.