Offer Kerberos authentication to supporting browsers

svn path=/trunk/packages/sipb-xen-www/; revision=1235

diff --git a/debian/changelog b/debian/changelog
index 2f2e539..ef1e0da 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+sipb-xen-www (3.17) unstable; urgency=low
+
+  * Add Kerberos-authenticated web interface on port 442
+
+ -- Quentin Smith <quentin@mit.edu>  Fri, 24 Oct 14:22:21 -0400
+
 sipb-xen-www (3.16) unstable; urgency=low
 
   * Shorten initscript with spiffy new library from sipb-xen-base

diff --git a/debian/control b/debian/control
index 714343f..4df8a5b 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -8,5 +8,5 @@ Standards-Version: 3.7.2
 Package: sipb-xen-www
 Architecture: all
 Depends: ${misc:Depends}, libapache2-mod-fcgid, python-flup, python-cheetah, python-simplejson, sipb-xen-database-common, sipb-xen-vnc-client, kstart, debathena-afs-config, sipb-xen-base,
- libapache2-svn, postfix, subversion, zephyr-clients
+ libapache2-svn, libapache2-mod-auth-kerb, postfix, subversion, zephyr-clients
 Description: Install the sipb-xen-dev website

diff --git a/files/etc/apache2/sites-available/ssl.mako b/files/etc/apache2/sites-available/ssl.mako
index d43eda1..dfd5af9 100644 (file)
--- a/files/etc/apache2/sites-available/ssl.mako
+++ b/files/etc/apache2/sites-available/ssl.mako
@@ -4,12 +4,10 @@ hostname = cfg.web.hostname
 errmail  = cfg.web.errormail
 tracuri  = cfg.trac.uri
 %>
+Listen 442
 Listen 446
 
-<VirtualHost *:443>
-       ServerAdmin ${errmail}
-       ServerName ${hostname}:443
-       
+<%def name="invirt_webinterface()">
        DocumentRoot /var/www/sipb-xen-www
        <Directory /var/www/sipb-xen-www>
                Options Indexes FollowSymLinks MultiViews ExecCGI
@@ -18,10 +16,7 @@ Listen 446
                allow from all
        </Directory>
        <Location />
-               Require valid-user
-               AuthType SSLCert
-               AuthSSLCertVar SSL_CLIENT_S_DN_Email
-               AuthSSLCertStripSuffix "@MIT.EDU"
+${caller.body()}
        </Location>
 
        RewriteEngine On
@@ -56,7 +51,6 @@ Listen 446
        SSLCertificateKeyFile ssl/server.key
        
        SSLCACertificateFile ssl/mitCAclient.pem
-       SSLVerifyClient require
        SSLVerifyDepth 10
 
        SSLOptions +StdEnvVars
@@ -64,6 +58,32 @@ Listen 446
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 
        Redirect /wiki ${tracuri}       
+</%def>
+<VirtualHost *:443>
+       ServerAdmin ${errmail}
+       ServerName ${hostname}:443
+       <%call expr="invirt_webinterface()">
+               Require valid-user
+               AuthType SSLCert
+               AuthSSLCertVar SSL_CLIENT_S_DN_Email
+               AuthSSLCertStripSuffix "@MIT.EDU"
+       </%call>
+       SSLVerifyClient require
+</VirtualHost>
+<VirtualHost *:442>
+       ServerAdmin ${errmail}
+       ServerName ${hostname}:442
+       <%call expr="invirt_webinterface()">
+               Require valid-user
+               AuthType Kerberos
+               KrbMethodNegotiate on
+               KrbMethodK5Passwd off
+               KrbAuthoritative off
+               KrbAuthRealms ${cfg.authn[0].realm}
+               Krb5Keytab /etc/invirt/keytab
+               KrbSaveCredentials off
+       </%call>
+       SSLVerifyClient optional
 </VirtualHost>
 
 <VirtualHost *:446>