search

gssapi / mod_auth_gssapi

GSSAPI Negotiate module for Apache
Other
95 stars 38 forks source link

Impersonate authenticated user with ProxyPass #283

Open HamburgerJungeJr opened 1 year ago

HamburgerJungeJr commented 1 year ago

Hi,

I try to get the option GssapiImpersonate working.

Situation: User -----> Apache Proxy --------> Service with Kerberos

My goal is that the user is authenticated on the proxy and the proxy the impersonates the user to provide access to the service. For the sake of simplicity currently the user should authenticate with Basic Auth to the proxy, but this could be replaced by some central auth with MFA or equal.

The docs for GssapiImpersonate state:


The principal of the user is retrieved from the internal r->user identifier which typically holds the username from the authentication results.

So if I understand this correctly: I have an Apache module which sets the variable r->user. mod_auth_gssapi then queries the KDC (in my case MS AD) and gets a kerberos ticket for the username from r->user

My problem is that I get a ticket for the username in GssapiDelegCcacheDir but the proxy request passes the Basic Auth header instead of a kerberos header.

My config: site.conf

<VirtualHost proxy.myproxydomain:80>
        SSLProxyEngine On
        ServerName proxy.myproxydomain
        LogLevel debug
</VirtualHost>

<Location />
        AuthType Basic
        AuthName "SharedSecert-Auth"
        AuthBasicProvider sharedsecret
        AuthSharedSecret "pass"

        GssapiImpersonate On
        GssapiDelegCcacheDir /var/run/httpd/krbcache
        GssapiUseS4U2Proxy Off
        GssapiCredStore client_keytab:/etc/apache2/kerb.keytab
        GssapiCredStore ccache:FILE:/var/run/httpd/krb5ccache
        GssapiCredStore keytab:/etc/apache2/kerb.keytab
        GssapiUseSessions On
        Session On
        SessionCookieName gssapi_session path=/private;httponly;secure; 
        GssapiBasicAuth Off
        GssapiAllowedMech krb5
        Require valid-user

        ProxyPass http://mybackendhost/
</Location>

(The auth module sharedsecret is this module: https://codeberg.org/HamburgerJungeJr/mod_authn_sharedsecret it just puts the username in r->user and accepts the same password for all users, so I dont have to add users for testing)

/etc/krb5.conf

[libdefaults]
    default_realm = MYREALM
    default_tkt_enctypes = aes256-cts-hmac-sha1-96
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 
#    permitted_enctypes = aes256-cts-hmac-sha1-96

[realms]
    MYREALM = {
            kdc = myadserver
            admin_server = myadserver
    }

[domain_realm]
    .myproxydomain = MYREALM
    myproxydomain = MYREALM

cache ticket - klist -c /var/run/httpd/krbcache/myuser@MYREALM (German system)

Ticketzwischenspeicher: FILE:myuser@MYREALM
Standard-Principal: myuser@MYREALM

Valid starting       Expires              Service principal
11.02.2023 15:35:22  12.02.2023 00:05:10  proxykeytabuser@MYREALM
        erneuern bis 12.02.2023 14:05:10
11.02.2023 14:05:10  12.02.2023 00:05:10  krbtgt/MYREALM@MYREALM
        für Client proxykeytabuser@MYREALM, erneuern bis 12.02.2023 14:05:10

I set the user to be allowed for delegation any authentication protocol on the AD.

Did I minsunderstand the function of GssapiImpersonate or do I have an error in my configuration?

simo5 commented 1 year ago

What mod_auth_gssapi can do is to prepare a ticket valid for impersonation, but it is not built to try and perform "middle man" authentication when used in a proxy.

So I would say you misunderstood what it can do on its own. However I guess you could have some other code use the ticket created by mod_auth_gssapi to perform a Negoiate authentication request against the target service. A simple python script using requests-gssapi would probably be enough.