From: Quentin Smith Date: Fri, 24 Oct 2008 18:24:12 +0000 (-0400) Subject: Offer Kerberos authentication to supporting browsers X-Git-Tag: sipb-xen-www/3.17~2 X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/commitdiff_plain/862be5161d8f6b22ce2b62c9b6d030944a442fca?hp=96297aceb23c9363c37c27795253c35c431730f2 Offer Kerberos authentication to supporting browsers svn path=/trunk/packages/sipb-xen-www/; revision=1235 --- diff --git a/debian/changelog b/debian/changelog index 2f2e539..ef1e0da 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +sipb-xen-www (3.17) unstable; urgency=low + + * Add Kerberos-authenticated web interface on port 442 + + -- Quentin Smith Fri, 24 Oct 14:22:21 -0400 + sipb-xen-www (3.16) unstable; urgency=low * Shorten initscript with spiffy new library from sipb-xen-base diff --git a/debian/control b/debian/control index 714343f..4df8a5b 100644 --- a/debian/control +++ b/debian/control @@ -8,5 +8,5 @@ Standards-Version: 3.7.2 Package: sipb-xen-www Architecture: all Depends: ${misc:Depends}, libapache2-mod-fcgid, python-flup, python-cheetah, python-simplejson, sipb-xen-database-common, sipb-xen-vnc-client, kstart, debathena-afs-config, sipb-xen-base, - libapache2-svn, postfix, subversion, zephyr-clients + libapache2-svn, libapache2-mod-auth-kerb, postfix, subversion, zephyr-clients Description: Install the sipb-xen-dev website diff --git a/files/etc/apache2/sites-available/ssl.mako b/files/etc/apache2/sites-available/ssl.mako index d43eda1..dfd5af9 100644 --- a/files/etc/apache2/sites-available/ssl.mako +++ b/files/etc/apache2/sites-available/ssl.mako @@ -4,12 +4,10 @@ hostname = cfg.web.hostname errmail = cfg.web.errormail tracuri = cfg.trac.uri %> +Listen 442 Listen 446 - - ServerAdmin ${errmail} - ServerName ${hostname}:443 - +<%def name="invirt_webinterface()"> DocumentRoot /var/www/sipb-xen-www Options Indexes FollowSymLinks MultiViews ExecCGI @@ -18,10 +16,7 @@ Listen 446 allow from all - Require valid-user - AuthType SSLCert - AuthSSLCertVar SSL_CLIENT_S_DN_Email - AuthSSLCertStripSuffix "@MIT.EDU" +${caller.body()} RewriteEngine On @@ -56,7 +51,6 @@ Listen 446 SSLCertificateKeyFile ssl/server.key SSLCACertificateFile ssl/mitCAclient.pem - SSLVerifyClient require SSLVerifyDepth 10 SSLOptions +StdEnvVars @@ -64,6 +58,32 @@ Listen 446 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 Redirect /wiki ${tracuri} + + + ServerAdmin ${errmail} + ServerName ${hostname}:443 + <%call expr="invirt_webinterface()"> + Require valid-user + AuthType SSLCert + AuthSSLCertVar SSL_CLIENT_S_DN_Email + AuthSSLCertStripSuffix "@MIT.EDU" + + SSLVerifyClient require + + + ServerAdmin ${errmail} + ServerName ${hostname}:442 + <%call expr="invirt_webinterface()"> + Require valid-user + AuthType Kerberos + KrbMethodNegotiate on + KrbMethodK5Passwd off + KrbAuthoritative off + KrbAuthRealms ${cfg.authn[0].realm} + Krb5Keytab /etc/invirt/keytab + KrbSaveCredentials off + + SSLVerifyClient optional