Kerberos authentication mechanism for nginx web server
This project implements the Single Sign On (SSO) using kerberos configured with OpenLDAP backend used to auhthenticate clients against HTTP service. Only an authenticated client with kerberos can have access to the server and reach the url
- We Used 3 linux-containers (lxc/lxd) to run the kerberos-kdc-server, kerberos-client, kerberos-http :
- Kerberos-kdc-server:
- consists of three parts: a database of all principals, the authentication server, and the ticket granting server.
- For each realm there must be at least one KDC.
- kerberos-client: Our kerberos client which will have access to any kerberized services once he has successfully logged into the system.
- kerberos-http: The HTTP server that runs nginx configured with SPNEGO mechanism --> our 3 containers using the default lxc network lxdbr0 (we use the hostname as domain name [example: curl http://kerberos-http] )
- Kerberos-kdc-server:
- Kerberos :
- Realm : EXAMPLE.COM
- Client Principal : [email protected] (with no admin priviliges)
- Admin Principal : ubuntu/[email protected]
- Service Principal : HTTP/[email protected]
- ldap client Principal : [email protected]
- OpenLDAP :
- Exists on the same kerberos-kdc-server server for simplicity (taking advantage of the unix socket )
- Can store Kerberos principals as opposed to a local on-disk database
- Nginx : we have to add the spnego module to nginx conf in order to enable negotiation authentication
- curl v7.81.0 (make sure supports GSS-API SPNEGO)
- lxc v5.21
- ubuntu 22.04 images
- nginx v1.18.0
- kerberos : We followed these steps to install and configure kerberos : .
- kerberos server config file : krb5.conf
- kerberos kdc config file krb5kdc.conf
- openLDAP : Installing and configuring slapd : . You can find users that were added into the ldap server in add_content.ldif file
- Kerberos with OpenLDAP backend : A good documented steps : .
- Kerberos client : Configure a Linux system as a Kerberos client .
- nginx with spnego module : Follow this cheatsheet : :
- nginx config file : nginx.conf
- default http server (on port 80) that is protected : default
-
Add [email protected] and ubuntu/[email protected] as Principals in kerberos
-
Add HTTP/[email protected] as service principal
-
Extract the key from the KDC and store it in the kerberos-http server using ktadd utility. If the kadmin utility not available in the service host , extract the keytab in the kerberos server and copy it into the http-server (using scp for example ).
- Copy the file into /etc/krb5.keytab
- Make sure its in mode 0600 and owned by root:root
- A screenshot about the content of the keytab file :
- Add the necessary configuration for nginx (auth_gss and auth_gss_keytab )
- Rload the nginx server
- Start the client container and log with the ubuntu user
- generate a new TGT ticket using kinit command
- Check the ticket using the klist command
- Curl into the http server
KRB5_TRACE=/dev/stderr curl -v -i --negotiate -u: http://kerberos-http
- Run curl command with verbose flag and using the negotiate authentication mechanism
- You got a clear output about how kerberos works using the TGT and generating a TGS
- Nginx gives a success response
- You can examine the ticket again using klist ( service principal added )
- Destroy the ticket using kdestroy command
- Curl again
- You got an authorization required response (401 status code)