WebAuth Notes
WebAuth is a wrapping of Kerberos authentication protocol within HTTP cookies. It implements single sign on, after entering a single password, users can vist multiple, independent web based services and be automatically and securely authenticated without the user being aware that this has happened.
WebAuth uses HTTPS/SSL to protect the content in both directions. Both the username/password pair used to log on and the resulting ticket granting ticket are "secret," the username/password pair more so since they are long-lived (typically 1 year) rather than short lived (typically 24 hours).
Contents:
Contents
1. Installation
1.1. Installing Kerberos
(Note: not needed on Scientific Linux 4.2)
Using WebAuth for an application requires access to a number of Kerberos utilities.
- Ensure GCC is installed:
yum install gcc
Download Kerberos software from http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.3-signed.tar. Homepage for Kerberos is http://web.mit.edu/kerberos/.
Unpack Kerberos distribution to a working directory ~/tmp.
- In the working directory, run the following commands:
./configure make
Needs yacc.
- More? It turns out that Kerberos is already present in the standard Scientific Linux installation.
1.2. Configuring NTP
Kerberos needs NTP. Config file is /etc/ntp.conf:
###################################################################### # # Sakai VRE demonstrator ntp.conf for RedHat Linux systems running ntpd. # Other machines will not be able to syncronize with this host, # which reduces the chance ntpd will be exploited by an attacker. # [Adapted from: http://cfm.gs.washington.edu/network/ntp/ntp/redhat-ntp.conf] # # Also consider denying incoming UDP traffic to port 123. # # http://www.ntp.org/ for additional information on NTP. # deny-by-default policy restrict default ignore ### restrict default nomodify notrap noquery # syncronize with OUCS time servers (peer 3) server ntp0.oucs.ox.ac.uk server ntp2.oucs.ox.ac.uk # Confiugure NTP access restrictions # [From http://www.oucs.ox.ac.uk/network/ntp/index.xml.ID=body.1_div.7] # by default ignore all ntp packets # restrict 0.0.0.0 mask 0.0.0.0 ignore # allow unlimited access within zoo.ox.ac.uk # # IP Address. . . : 129.67.24.47 # Subnet Mask . . : 255.255.252.0 # restrict 129.67.24.47 mask 255.255.252.0 # allow packets to arrive from OUCS time servers (unlimited) # these IP addresses are correct at the time of writing but are subject to # change. Changes will be publicised on the itss-announce mailing list. # restrict 129.67.1.7 mask 255.255.255.255 # ntp0.oucs.ox.ac.uk restrict 163.1.2.3 mask 255.255.255.255 # ntp1.oucs.ox.ac.uk restrict 163.1.2.38 mask 255.255.255.255 # ntp2.oucs.ox.ac.uk restrict 129.67.1.4 mask 255.255.255.255 # ntp3.oucs.ox.ac.uk # the "local" address is unrestricted # (This is a special 'internal' IP address used by the ntp software, # without which the software will not function correctly) # restrict 127.0.0.1 mask 255.255.255.255 # Where did this come from? # restrict ntp0.oucs.ox.ac.uk nomodify nopeer noquery notrap # restrict ntp2.oucs.ox.ac.uk nomodify nopeer noquery notrap # local fudge if network servers not available server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10 restrict 127.0.0.0 mask 255.0.0.0 nomodify nopeer noquery notrap # track wander (leading directories will need to exist!) driftfile /var/ntp/ntp.drift ###broadcastdelay 0.008 # # Keys file. If you want to diddle your server at run time, make a # keys file (mode 600 for sure) and define the key number to be # used for making requests. # # PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote # systems might be able to reset your clock at will. Note also that # ntpd is started with a -A flag, disabling authentication, that # will have to be removed as well. # ### keys /etc/ntp/keys
To start the NTP daemon:
service ntpd start
To configure the NTP daemon to start on system reboot
chkconfig --add ntpd chkconfig --level 345 ntpd on chkconfig --list ntpd
1.3. Configuring Kerberos
Our file /etc/krb5.conf looks like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[libdefaults]
default_realm = OX.AC.UK
[realms]
OX.AC.UK = {
kdc = kdc0.ox.ac.uk
kdc = kdc1.ox.ac.uk
kdc = kdc2.ox.ac.uk
admin_server = kdc-admin.ox.ac.uk
}
[domain_realm]
.ox.ac.uk = OX.AC.UK
ox.ac.uk = OX.AC.UK
See Oxford webAuth page: http://www.oucs.ox.ac.uk/webauth/index.xml.ID=body.1_div.3
2. Getting a principal
[root@sakai-vre-demo syeates]# kadmin -p syeates/itss Authenticating as principal syeates/itss with password. Password for syeates/itss@OX.AC.UK: kadmin: ktadd -k /etc/krb5.keytab webauth/sakai-vre-demo.oucs.ox.ac.uk Entry for principal webauth/sakai-vre-demo.oucs.ox.ac.uk with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal webauth/sakai-vre-demo.oucs.ox.ac.uk with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit [root@sakai-vre-demo syeates]# ls -lart /etc/krb5.keytab -rw------- 1 root root 170 May 11 16:48 /etc/krb5.keytab [root@sakai-vre-demo syeates]# more /etc/krb5.keytab [root@sakai-vre-demo syeates]# file /etc/krb5.keytab /etc/krb5.keytab: data
The keys are in binary and appear to be wrapped in such a way as not to appear when sent to the screen.
See the SPIE wiki on this: http://spie.oucs.ox.ac.uk/Wiki.jsp?page=WebAuth
3. Installing WebAuth
See: http://www.oucs.ox.ac.uk/webauth/index.xml.ID=body.1_div.3, http://webauth.stanford.edu/obtain.html
Download WebAuth source from http://webauth.stanford.edu/dist/webauth-3.5.0.tar.gz, and unpack to ~/tmp
Ensure the directory /usr/sbin is part of the current path. If necessary:
PATH=$PATH:/usr/sbin
- Download needed development packages not default for Scientific Linux:
yum install krb5-devel yum install openssl-devel yum install httpd-devel yum install curl-devel
From the ~/tmp/webauth-3.5.0 directory, run:
./configure make
- Test the resulting build:
make check
- To install the Webauth software, as user root,:
su root make install exit
Note: some warnings about linking against new libraries installed in /usr/local/lib may be shown. It's not clear to us if this is an error, but we did later encounter problems when trying to start Apache with WebAuth enabled.. On our system, the first time we ran make install, only part of the installation was completed; the mod_webauth.so module was not installed for apache. On a subsequent attempt, this was achieved.
Create a config file for webauth. We creted a new file /etc/httpd/conf.d/webauth.conf, with the following content:
# Make webauth available LoadModule webauth_module modules/mod_webauth.so # Set locations for various files used by mod_webauth WebAuthKeyring webauth/keyring WebAuthKeytab webauth/keytab WebAuthServiceTokenCache webauth/service_token_cache WebAuthCredCacheDir webauth/cred_cache # Point to the Oxford Webauth service WebAuthLoginURL https://webauth.ox.ac.uk/login WebAuthWebKdcURL https://webauth.ox.ac.uk:8443/webkdc-service/ WebAuthWebKdcPrincipal service/webkdc@OX.AC.UK # If you're having trouble switch on debugging WebAuthDebug on # For each location that you want to protect using Webauth you should add a section like: <Location /webauthtest/syeates> WebAuthExtraRedirect on AuthType WebAuth require valid-user </Location> <Location /webauthtest/zool0635> WebAuthExtraRedirect on AuthType WebAuth require valid-user </Location>
The two <location> sections are used for testing in our environment, and correspond to two directories in the /var/www/html tree containing some test data.
- Start the Apache web server:
service httpd start
Initially, this failed in our environment because file libwebauth.so.1 could not be loaded for mod_webauth. This may have been due to the problem noted earlier when running make install. Creating a new symlink seems to resolve this:
ln -s /usr/local/lib/libwebauth.so.1 libwebauth.so.1
- Now we get another error wnen starting httpd:
[error] mod_webauth: mwa_cache_keyring: webauth_keyring_auto_update /etc/httpd/webauth/keyring failed: Unable to open keyring for writing (7) [notice] mod_webauth: initialized (3.5.0) (Built by syeates@sakai-vre-demo.oucs.ox.ac.uk on 2006-05-12 10:18:22 UTC) *** glibc detected *** double free or corruption (fasttop): 0x08120bd0 ***
It turned out that the problem here was that Apache httpd needs to be able to create files in the directory containing wbeauth/keyring. The following setup, with the webauth directory created in /var/lib, Apache httpd to start successfully with the above webauth.conf configuration file:
su root mkdir /var/lib/webauth chgrp apache /var/lib/webauth chmod g+rw /var/lib/webauth ln -s /var/lib/webauth /etc/httpd/webauth
We also need to copy the krb5.keytab file to the location configured for HTTTD, and ensure that this file is readable by the apache server:
su cp /etc/krb5.keytab /etc/httpd/webauth/keytab chgrp apache /etc/httpd/webauth/keytab chmod g=r /etc/httpd/webauth/keytab
Check that the file is not visible to any users other than root and the web server user (i.e. apache in our setup).
4. Going live
The /etc/httpd/webauth/keytab file contains a shared key that must be kept secret. After a period of experimentation, assume that the key is compromised and throw it away. Create a new keytab file (with a newshared key) an use that for live deployment.
5. Links
[1] http://webauth.stanford.edu/ The webauth homepage
[2] http://www.oucs.ox.ac.uk/webauth/ How to connect to webauth at Oxford University
[3] http://web.mit.edu/kerberos/kerberos - Kerberos home page
[4] http://www.isi.edu/gost/brian/security/kerberos.html Morons guide to kerberos. A great introduction.
