Apache Kerberos Authentication over SSL for SVN

Suppose you already have a web site working over SSL (see here) and you would like add security on top of that, namely use Kerberos for authentication. I assume you saw the following:

• Serving Multiple SVN Repositories with Apache (see here)

How to add CA certificate to Common CA certificates

Debian package ca-certificates installs a number of common CA certificates, well known. Your certificate authority is not there, so you will get a warning messages every time it used by browser, mail client, IM, etc. Here are few simple steps to install your own CA certificate.

apt-get install ca-certificates

Copy CA certificate and reconfigure ca-certificates package:

cp cacert.pem /usr/share/ca-certificates
dpkg-reconfigure ca-certificates

You will be asked "Trust new certificates from certificate authorities?", choose Ask than from the list of activated certificates mark yours. This will rebuild certificates database with your CA certificate.

Apache Basic Authentication over SSL with PAM Kerberos/LDAP

Suppose you already have a web site serving multiple subversion repositories over SSL (see here) and you would like add security on top of that, namely use Kerberos for authentication and LDAP for authorization. Before we proceed please ensure your machine is capable to authenticate against Kerberos/LDAP (see here). I will assume you saw the following:

• Serving Multiple SVN Repositories with Apache (see here)
• Debian OpenLDAP client with Kerberos (see here)

Serving Multiple SVN Repositories with Apache

Here are our requirements:

• SVN web server FQDN: scm1 ; scm1.dev.local
• SVN is served via SSL only
• Repositories access url: https://scm1/svn/project1, https://scm1.dev.local/svn/project2
• Access: public
• Policies: /var/lib/svn/conf/policies
• Root: /var/lib/svn/repos

Before we proceed please see:

• Apache with SSL (see here)
• Revision control with subversion (see here). You can skip settings related to security permissions, etc since the authentication/authorization will be managed by apache.

Apache with SSL

Here we are going setup a web site with SSL support, so content can be securely served via https.

• Web server FQDN: web1 ; web1.dev.local
• Content served via: HTTP and HTTPS
• Content location: /var/www/

Dovecot with Kerberos Authentication

Dovecot authentication/authorization consists of two important parts: passdb and userdb; passdb is used to confirm user credentials are valid for access, while userdb determines how authenticated user is mapped to uid/gid (this is necessary since mail box is on file system).

In this post we take a look at Dovecot configuration when Kerberos is used for passdb role. We also take a look at few possibilities for userdb implementation.

Before we proceed with setup (let assume our client machine name is mail1.dev.local) you need to setup the following:

• Kerberos Client (look here).

Once the basic installation of the above is complete, here we go: Add imap service principal:

kadmin -p admin -q "addprinc -randkey imap/mail1.dev.local"

kadmin -p admin -q "ktadd imap/mail1.dev.local"

Dovecot V1.x Configuration

1. Configure dovecot to use gssapi for authentication (file /etc/dovecot/dovecot.conf):

   auth default {
     #mechanisms = plain
     mechanisms = gssapi
   }
   

If you want permit users to authenticate to dovecot using password (vs using transparent kerberos authentication via gssapi) than plain authentication mechanism must remain.
2. Restart dovecot:

   /etc/init.d/dovecot restart
   

Dovecot V2.0 Configuration

1. Install dovecot gssapi package:

   apt-get install dovecot-gssapi
   

2. Group dovecot need to have read permission on kerberos keytab file (/etc/krb5.keytab).

   chgrp dovecot /etc/krb5.keytab
   chmod g+r /etc/krb5.keytab
   

3. Ensure the following settings in authentication configuration (file /etc/dovecot/conf.d/10-auth.conf):

   # FQDN for the mail server
   auth_gssapi_hostname = mail1.dev.local
   
   # Locaction of keytab file
   auth_krb5_keytab = /etc/krb5.keytab
   
   auth_mechanisms = gssapi
   

4. Restart dovecot:

   /etc/init.d/dovecot restart
   

Virtual Hosting

While all users are authenticated against Kerberos, we can map mailbox access to a single local user/group, e.g. vmail. This scenario is implemented by dovecot userdb static configuration option.

# 1. User is created with home directory set 
# to /var/mail.
# 2. User added to group vmail.
# 3. Do not gcreate a home directory.
# 4. User has no shell, ssh login impossible.
groupadd vmail
useradd -d /var/mail -G vmail -M -s /bin/false vmail

Changes to dovecot configuration below:

auth default {
  mechanisms = gssapi
  userdb static {
    args = uid=vmail gid=vmail home=/var/mail/%u
  }
}

When you create a new mailbox vmail user must be an owner. Let create a mailbox for user1:

mkdir /var/mail/user1
chown vmail /var/mail/user1

On successful user1 authentication dovecote will populate all necessary files for mailbox.

Open LDAP

You can use Kerberos authentication together with LDAP authorization. In this case LDAP database will serve userdb purpose. You have to setup OpenLDAP client with Kerberos (see here). Ensure the following settings in dovecot configuration:

auth default {
  mechanisms = plain gssapi
  passdb pam {
  }
  userdb passwd {
  }
}

This approach uses PAM. When you create a mailbox for user ensure user account (uid defined LDAP) is an owner for mailbox.

How to add CA certificate to NSS Certificate DB

If you have created a Certificate Authority (see here), you probably want get rid of warnings the consumers shows to your users, e.g. email clients while accessing the mailbox. Here are few simple steps to add your local Certificate Authority to to NSS Certificate DB:

1. Copy CA certificate to known certificates:

   cp cacert.pem /etc/ssl/certs
   chmod go+r /etc/ssl/certs/cacert.pem
   

2. Let install a tools to manage NSS Certificate DB:

   apt-get install libnss3-tools
   

3. The default location of NSSDB is in $HOME/.pki/nssdb. If you do not have one yet issue the following command to create (see more baout certutil here):

   mkdir -p .pki/nssdb ; certutil -N -d sql:.pki/nssdb
   

4. Add CA certificate:

   certutil -d sql:.pki/nssdb -A -t "CT,c,c" -n DEV.LOCAL \
   -i /etc/ssl/certs/cacert.pem
   

Evolution email client

Nothing specific need to be done. It uses .pki/nssdb by default

Firefox/Iceweasel web browser

The idea here is to point existing nssdb files to one in .pki/nssdb:

cd .mozilla/firefox/your-profile/
rm cert9.db key4.db
ln -s ~/.pki/nssdb/key4.db .
ln -s ~/.pki/nssdb/cert9.db .

Thunderbird email client

Things you need to do are exactly the same as for firefox, with the only exception to change default directory to .thunderbird/your-profile instead.

Final Note

At this point you should be fine to see SSL content (web, mail, etc) without a security warning since your CA is trusted. Consider copy nss db to /etc/skel, so the new users will get it working automatically:

cp -r .pki /etc/skel

The first time a new user logging, the nssdb will be copied from skel directory and as result the user will get valid CA certificate. Read more here.

Dovecot IMAP Server

The Internet Message Access Protocol (IMAP) is one of the two most prevalent Internet standard protocols for e-mail retrieval. Dovecot is an open source IMAP.

• IMAP host FQDN: mail1.dev.local, ip: 192.168.10.11, DNS alias: mail.dev.local
• Mailbox type: Maildir
• Mail location: /var/mail/<user>
• Communication: Only secure, TLS/SSL

Basic Installation

Here are few simple steps to configure: Let install dovecot:

apt-get -y install dovecot-imapd

Dovecot V1.x Configuration

Ensure imaps in the following configuration (file /etc/dovecot/dovecot.conf):

protocols = imap imaps
mail_location = maildir:/var/mail/%u

Dovecot V2.0 Configuration

Setup mail location (file /etc/dovecot/conf.d/10-mail.conf)

mail_location = maildir:/var/mail/%u

SSL

1. Create SSL certificate (see here). While answering questions make sure the following (this is the name the clients will access your IMAP server):

   Common Name (eg, YOUR name) []:mail.dev.local
   

   There are two important files we created here: newreq.pem and newcert.pem. Rename those files:

   mv newreq.pem mail-key.pem
   mv newcert.pem mail-cert.pem
   

2. Copy these files:

   cp mail-cert.pem /etc/ssl/certs
   cp mail-key.pem /etc/ssl/private
   

3. Dovecot V1.x Configuration

   Let dovecot know about our certificates (file /etc/dovecot/dovecot.conf):

   ssl_cert_file = /etc/ssl/certs/mail-cert.pem
   ssl_key_file = /etc/ssl/private/mail-key.pem
   

   Dovecot V2.0 Configuration

   Let dovecot know about our certificates (file /etc/dovecot/conf.d/10-ssl.conf):

   ssl_cert = </etc/ssl/certs/mail-cert.pem
   ssl_key = </etc/ssl/private/mail-key.pem
   

4. Restart dovecot:

   /etc/init.d/dovecot restart
   

You should be able access the mail via IMAP TLS/SSL now. See here how to get rid of warning message about the SSL certificate signature by mail clients, e.g. Evolution, etc.

Troubleshooting: namespace missing

While upgrading to dovecot v2.1.7 I noticed the following error:

mail1 dovecot: imap(xxx): Error: user xxx: Initialization failed: 
namespace configuration error: inbox=yes namespace missing
mail1 dovecot: imap(xxx): Error: Invalid user settings. Refer to 
server log for more information.

You need define inbox namespace and explicitly set the `inbox` attribute (file /etc/dovecot/conf.d/10-mail.conf)

namespace inbox {
    inbox = yes
}

Restart dovecot and that fix it.

Configure exim4 internet site; mail is sent and received directly using SMTP

This option of exim4 let you configure SMTP server for your domain.

• SMTP host FQDN: mail1.dev.local, ip: 192.168.10.11
• Domain: dev.local, serves emails like user1@dev.local
• Delivery mode: Maildir
• Mail location: /var/mail/<user>

Here are few simple steps to configure: