Friday, February 18, 2011

Apache Kerberos Authentication over SSL for SVN

Suppose you already have a web site working over SSL (see here) and you would like add security on top of that, namely use Kerberos for authentication. I assume you saw the following:
  • Serving Multiple SVN Repositories with Apache (see here)
Once you have that in place, here we go:
  1. Install Kerberos authentication apache2 module: 
    apt-get -y install krb5-user libapache2-mod-auth-kerb
  2. Configure client (file /etc/krb5.conf): 
    [libdefaults]
        default_realm = DEV.LOCAL
# ...
[realms]
        DEV.LOCAL = {
                # The entries below can be commented out
                # in case there is dns resolution
                kdc = kdc.dev.local
                admin_server = krb.dev.local
        }

[domain_realm]
  3. Add http principal to kerberos: 
    kadmin -p admin -q "addprinc -randkey http/web1.dev.local"
kadmin -p admin -q "ktadd -k /etc/apache2/http.keytab http/web1.dev.local"
chown root:www-data /etc/apache2/http.keytab
chmod g=r,o= /etc/apache2/http.keytab
  4. Here is how to use kerberos authentication (read more here): 
    <Location /svn/>
        Dav svn
        SVNParentPath /var/lib/svn/repos

        SVNListParentPath On
        SVNAutoVersioning On

        AuthName "DEV.LOCAL"
        AuthType Kerberos
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthoritative On  
        KrbVerifyKDC On  
        KrbAuthRealms DEV.LOCAL
        Krb5KeyTab /etc/apache2/http.keytab
        KrbServiceName http

        Require valid-user
</Location>
  5. Restart apache daemon: 
    /etc/init.d/apache2 restart

Using Kerberos Principal for Authorization

While authenticating with Kerberos the application receive not just username but also attached kerberos realm. So in our case for user1 you will get user1@DEV.LOCAL.

Authorization in Subversion

You can limit user access to particular location by using AuthzSVNAccessFile directive: 
<Location /svn/project1/>
    AuthzSVNAccessFile /var/lib/svn/conf/access/project1.conf
</Location>
Here is the access file /var/lib/svn/conf/access/project1.conf: 
[groups]
owner = user1@DEV.LOCAL
admins = user2@DEV.LOCAL
developers = user3@DEV.LOCAL, user4@DEV.LOCAL 
buildprocess = user5@DEV.LOCAL

[/]
@owner = rw
@admins = r 
@developers = rw
@buildprocess = r
Posted by Andriy Kornatskyy at 8:30 PM
Labels: , ,

5 comments :

  1. JeyanthanApril 16, 2012 at 12:31 PM

    Great summary! It was indeed helpful.

    ReplyDelete
  2. ILIKApril 26, 2012 at 6:07 AM

    In windows domain account passwords have to be changed periodically. Do i have to change something to make kerberos work on svn for apache?

    ReplyDelete
    Replies
    1. Andriy KornatskyyApril 26, 2012 at 9:48 AM

      Kerberos and windows domain authentication have many in common but from client (apache web server) configuration stand point of view integration is handled a bit differently. It is recommended to use SSPI authentication type to work with windows domain controller.

      Since both (kerberos and windows domain) serve single sign-on purpose any changes to user account (including password change) do not require any re-configuration on its clients.

      Delete
    2. ILIKApril 27, 2012 at 6:19 AM

      i suppose sspi is installed on windows machines so i can use only ldap, kerberos or ntlm on apache with svn on linux to allow clients autenticate via AD authentication

      Delete
  3. KiloKiloDecember 15, 2015 at 10:42 PM

    Can apache+svn be setup to try kerberos authentication, but then resort to AD if kerberos does not succeed?

    ReplyDelete

Subscribe to: Post Comments ( Atom )