Kerberos auth for my cgit project
I finally solidified my Kerberos authentication for my cgit solution. I recently added ldap auth, and now we have the real authentication solution available (at least according to Kerberos people).
My relevant snippets of my apache config file are the following.
SetEnv GIT_PROJECT_ROOT /var/www/git SetEnv GIT_HTTP_EXPORT_ALL SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER SetEnv GITWEB_CONFIG /etc/gitweb.conf # This file will not work when it is in /usr/sbin. ScriptAlias /git/ /usr/libexec/git-core/git-http-backend-mersey/ <Directory "/usr/libexec/git-core*"> Options +ExecCGI +Indexes Order allow,deny Allow from all Require all granted </Directory> # a2enmod macro <Macro Project $repository $rwstring $rostring> <LocationMatch "^/git/$repository.*$"> AuthName "Git Access" Include conf.d/auth-gssapi.cnf #AuthUserFile /etc/git_access Require $rwstring Require $rostring </LocationMatch> <LocationMatch "^/git/$repository/git-receive-pack$"> AuthName "Git Access" Include conf.d/auth-gssapi.cnf #AuthUserFile /etc/git_access Require $rwstring </LocationMatch> </Macro> # Protect everything under git directory... <Directory "/var/www/git"> Require all denied </Directory> # ...Unless given permissions in this file. Include /etc/git_access.conf # cgit # https://ic3man5.wordpress.com/2013/01/26/installing-cgit-on-debian/ # depends on confs-enabled/cgit.conf <Directory "/usr/share/cgit/"> SetEnv CGIT_CONFIG /etc/cgitrc SetEnv GIT_URL cgit AllowOverride all Options +ExecCGI +FollowSymLinks +Indexes DirectoryIndex cgit.cgi AddHandler cgi-script .cgi RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule (.*) /cgit/cgit.cgi/$1 [END,QSA] </Directory>
Here is the separate include file, auth-gssapi.conf.
# File: /etc/httpd/conf.d/auth.cnf # Startdate: 2022-06-13 14:10 # Usage: included by main config file in a few places # History: # Reference: # auth-ldap.cnf AuthType GSSAPI GssapiUseSessions On Session On SessionCookieName s1_session path=/; GssapiCredStore keytab:/etc/httpd/keytab GssapiCredStore ccache:/etc/httpd/krb5.cache SessionHeader S1SESSION GssapiSessionKey file:/etc/httpd/gssapisession.key GssapiImpersonate On GssapiDelegCcacheDir /run/httpd/ccache GssapiDelegCcachePerms mode:0660 gid:apache GssapiUseS4U2Proxy On GssapiAllowedMech krb5 GssapiBasicAuth On GssapiBasicAuthMech krb5 GssapiLocalName On
Some preparation of the file system is required too, of course.
sudo yum install mod_auth_gssapi mod_session sudo su - # the rest as root kinit -kt /etc/krb5.keytab # I already have an existing ipa service for HTTP/server1. ipa-getkeytab -p HTTP/server1.ipa.internal.com -k /etc/httpd.keytab sudo kinit -k -t /etc/httpd.keytab -c /etc/httpd.cache HTTP/server1.ipa.internal.com sudo chown apache /etc/httpd.keytab ; sudo chmod 0600 /etc/httpd.keytab sudo mkdir -p /run/httpd/ccache ; sudo chown apache /run/httpd/ccache sudo chown apache /etc/httpd.cache
Test apache and if its configuration is OK, reload it!
sudo httpd -t sudo systemctl reload httpd
And now, on my git client, I can clear the credential cache
git credential-cache exit
Ensure that the effective git config includes:
[http] emptyAuth = true
Which I can set with:
git config --global http.emptyAuth true
And ensure I have a kerberos ticket.
kinit
And then I can push to my remote.
$ git remote add server1 https://server1.ipa.example.com/git/mbbmlib $ git push server1 Enumerating objects: 3, done. Counting objects: 100% (3/3), done. Compressing objects: 100% (2/2), done. Writing objects: 100% (2/2), 229 bytes | 229.00 KiB/s, done. Total 2 (delta 1), reused 0 (delta 0), pack-reused 0 To https://server1.ipa.internal.com/git/mbbmlib e0767c5..3a3c4d9 samplebranch -> samplebranch
I don't normally use my internal server name for my git remotes, but it's worth it if it can take advantage of the kerberos tickets I already use for auth to the system anyway!
Update 2023-06-18
I used this reference: https://stackoverflow.com/questions/29095389/git-push-to-https-repository-from-intranet-application-with-kerberos-authenticat
Comments