Friday, February 18, 2011

Apache Kerberos Authentication over SSL for SVN

Suppose you already have a web site working over SSL (see here) and you would like add security on top of that, namely use Kerberos for authentication. I assume you saw the following:
  • Serving Multiple SVN Repositories with Apache (see here)
Once you have that in place, here we go:
  1. Install Kerberos authentication apache2 module:
    apt-get -y install krb5-user libapache2-mod-auth-kerb
    
  2. Configure client (file /etc/krb5.conf):
    [libdefaults]
            default_realm = DEV.LOCAL
    # ...
    [realms]
            DEV.LOCAL = {
                    # The entries below can be commented out
                    # in case there is dns resolution
                    kdc = kdc.dev.local
                    admin_server = krb.dev.local
            }
    
    [domain_realm]
    
  3. Add http principal to kerberos:
    kadmin -p admin -q "addprinc -randkey http/web1.dev.local"
    kadmin -p admin -q "ktadd -k /etc/apache2/http.keytab http/web1.dev.local"
    chown root:www-data /etc/apache2/http.keytab
    chmod g=r,o= /etc/apache2/http.keytab
    
  4. Here is how to use kerberos authentication (read more here):
    <Location /svn/>
            Dav svn
            SVNParentPath /var/lib/svn/repos
    
            SVNListParentPath On
            SVNAutoVersioning On
    
            AuthName "DEV.LOCAL"
            AuthType Kerberos
            KrbMethodNegotiate On
            KrbMethodK5Passwd On
            KrbAuthoritative On  
            KrbVerifyKDC On  
            KrbAuthRealms DEV.LOCAL
            Krb5KeyTab /etc/apache2/http.keytab
            KrbServiceName http
    
            Require valid-user
    </Location>
    
  5. Restart apache daemon:
    /etc/init.d/apache2 restart
    

Using Kerberos Principal for Authorization

While authenticating with Kerberos the application receive not just username but also attached kerberos realm. So in our case for user1 you will get user1@DEV.LOCAL.

Authorization in Subversion

You can limit user access to particular location by using AuthzSVNAccessFile directive:
<Location /svn/project1/>
    AuthzSVNAccessFile /var/lib/svn/conf/access/project1.conf
</Location>
Here is the access file /var/lib/svn/conf/access/project1.conf:
[groups]
owner = user1@DEV.LOCAL
admins = user2@DEV.LOCAL
developers = user3@DEV.LOCAL, user4@DEV.LOCAL 
buildprocess = user5@DEV.LOCAL

[/]
@owner = rw
@admins = r 
@developers = rw
@buildprocess = r

5 comments :

  1. Great summary! It was indeed helpful.

    ReplyDelete
  2. In windows domain account passwords have to be changed periodically. Do i have to change something to make kerberos work on svn for apache?

    ReplyDelete
    Replies
    1. Kerberos and windows domain authentication have many in common but from client (apache web server) configuration stand point of view integration is handled a bit differently. It is recommended to use SSPI authentication type to work with windows domain controller.

      Since both (kerberos and windows domain) serve single sign-on purpose any changes to user account (including password change) do not require any re-configuration on its clients.

      Delete
    2. i suppose sspi is installed on windows machines so i can use only ldap, kerberos or ntlm on apache with svn on linux to allow clients autenticate via AD authentication

      Delete
  3. Can apache+svn be setup to try kerberos authentication, but then resort to AD if kerberos does not succeed?

    ReplyDelete