[36381] in Kerberos
Announcing mod_auth_gssapi
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Aug 14 18:07:50 2014
Message-ID: <1408054010.15168.33.camel@willson.usersys.redhat.com>
From: Simo Sorce <simo@redhat.com>
To: kerberos@mit.edu
Date: Thu, 14 Aug 2014 18:06:50 -0400
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello list,
I have recently released a new module for Apache called mod_auth_gssapi
to modernize a little bit on the ancient and substantially unmaintained
mod_auth_kerb.
The code is here on github[1] for now, and packages will soon be
available for Fedora (and any other distro that wants to pick it up).
Highlights are:
- uses exclusively GSSAPI calls
- requires a modern MIT Kerberos version (at least 1.11)
- supports storing a bearer token in a secure, http-only, session cookie
automatically to avoid multiple round-trips in applications
- support enforcing the use of a TLS connection
- experimental support for channel bindings (depends on an unaccepted
Apache patch and browser support).
- optionally exports delegated credentials to support s4u2proxy based
operations in web applications
I had fun coding this, which started as an experiment on a boring plane
trip, I hope it can be of use to others.
Simo.
[1] https://github.com/modauthgssapi/mod_auth_gssapi
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
