Skip to content

Setting up proxy for home use

Jump to bottom
Charles Hedrick edited this page Feb 8, 2018 · 1 revision

Proxy for home use

We currently only allow CS hosts to access the Kerberos server. But it's convenient to use Kerberos at home if you're going to be connecting to lots of different hosts. Recent versions of MIT Kerberos, and supposedly Windows, support a kdc proxy. Note that this proxy service is in the web server that's bundled with IPA. We haven't exposed that web server outside Rutgers, so I wanted to put the proxy on a server that is exposed.

It's installed on services.cs.rutgers.edu. 

yum install mod_wsgi
yum install python-kdcproxy

In /etc/httpd/conf.d/ssl.conf, in the virtual host declaration for services.cs.rutgers.edu, add 

WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=1000  display-name=%{GROUP}
WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py  process-group=kdcproxy application-group=kdcproxy
WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py
WSGIScriptReloading Off

<Location "/KdcProxy">
    Satisfy Any
    Order Deny,Allow
    Allow from all
    WSGIProcessGroup kdcproxy
    WSGIApplicationGroup kdcproxy
</location>

Also, add the following script, /var/www/services.cs/cgi-bin/anonticket.pl. This can be used to get a credentials cache for anonymous.user. That's needed for users with two-factor authentication to kinit. It's needed for the -T argument to kinit, which they have to use. 

#!/usr/bin/perl -w

# generate and return a kerberos ticket cache for the anonymous user
# this is needed for users with two factor authentication to use with -T option in kinit

my $bytes;
my $filename;



$filename = "/tmp/ccanon$$";

# use kinit to make the credentials cache
system("KRB5CCNAME=$filename kinit -k -t /etc/krb5.anonymous.keytab anonymous.user");

# read the cache
open(my $fh, '<:raw', $filename) or die "cannot open file $filename";
my $bytes_read = read($fh, $bytes, 100000);
close($fh);
unlink($filename);

# put it out as our response
print "Content-Length: $bytes_read" . "\n";
    print <<EOF;
Content-Disposition: attachment
Content-Type: application/octet-stream
Content-Transfer-Encoding: binary
Cache-Control: private
Pragma: private
Expires: Mon, 26 Jul 1997 05:00:00 GMT

EOF

    print $bytes;
Clone this wiki locally