Skip to main content

In this article we will implement authentication based on the Kerberos protocol to connect yours users to the Centreon web interface. This authentication will be performed by the apache web server and will use Centreon's Web SSO functionality.


This article is only valid for CentOS 7 and Centreon 21.10 version.
Some adaptation need be done when configure it on different OS or different version of Centreon (like the path, the package names and apache configuration).

 

 

Prerequisites
 

On Active directory

To integrate Apache with the Kerberos Authentication we will need 3 things:

  1. A Type A DNS record of the FQDN used to join your monitoring like: centreon.archimede.net

  2. Dedicated active directory user for our Keberos application (here Centreon) ;

  3. A principal and a keytab file that you create with the following command:

ktpass -princ HTTP/centreon.archimede.net@ARCHIMEDE.NET -mapuser ${KERBEROS_USERNAME}@ARCHIMEDE.NET -pass ${KERBEROS_PASSWORD} -crypto ${ENCRYPTION_TYPE} -ptype KRB5_NT_PRINCIPAL -out C:\Temp\centreon.keytab

This command will create a keytab file with the following information:

  • The principal, here HTTP/centreon.archimede.net (even if we used https on our server, it’s still HTTP) ;

  • Bind to the dedicated user ;

  • The type of encryption ;

Be careful with the lower and upper case, the keytab file is case sensitive. So please use the domain in upper case and the FQDN in lower case !

You can now retry the keytab file and copy on your central server.

 

On your web browser

Here a good article (thanks to it) on how to configure your web browser.

 

Configuration of the Central Server
 

Kerberos Configuration

Once the keytab file is copy on the central server, you can copy in /etc/ and change the permission using the following command:

chown apache:root centreon.archimede.net.keytab
chmod 640 centreon.archimede.net.keytab

Then install the following package:

yum install httpd24-mod_auth_kerb.x86_64

Now we can configure the kerberos information on the central by editing the file /etc/krb5.conf:

If you need more information about the Kerberos, you can find the official documentation here

In a nutsheel:

  • KDC: The name or the address of your domain controller (most of the time).
  • admins_server: the name or the address or your master Kerberos server (most of tthe time it’s also the domain controller).
  • domain_realm: looks very close to your domain in fact.


Test your Kerberos Configuration

To be sure that your Centreon server can interact with your kerberos environment, you can try to get a kerberos ticket for your user own user:

kinit kriko@ARCHIMEDE.NET
Password for kriko@ARCHIMEDE.NET:

 Then the command klist should return you something like this:

#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kriko@ARCHIMEDE.NET

Valid starting       Expires              Service principal
04/05/2022 12:47:58  04/05/2022 22:47:58  krbtgt/ARCHIMEDE.NET@ARCHIMEDE.NET
        renew until 04/12/2022 12:47:55

Now we can try to get a ticket for the Service Principal:

kvno HTTP/centreon.ARCHIMEDE.NET@ARCHIMEDE.NET

Then the command klist should return you something like this:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kriko@ARCHIMEDE.NET

Valid starting       Expires              Service principal
04/05/2022 12:47:58  04/05/2022 22:47:58  krbtgt/ARCHIMEDE.NET@ARCHIMEDE.NET
        renew until 04/12/2022 12:47:55
04/05/2022 12:48:40  04/05/2022 22:47:58  krbtgt/ARCHIMEDE.NET@ARCHIMEDE.NET
        renew until 04/12/2022 12:47:55
04/05/2022 12:48:40  04/05/2022 22:47:58  HTTP/centreon.archimede.net@ARCHIMEDE.NET
        renew until 04/12/2022 12:47:55

And then to check your keytab file, the following command should return nothing:

kinit -k -t /etc/centreon.archimede.net.keytab  HTTP/centreon.archimede.net@ARCHIMEDE.NET


Apache Configuration

Again this configuration is only for a Centreon 21.10 on CentOS 7, some adaptions need to be done for other version ;-)

All the configuration is done in /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf:

Alias /centreon/api /usr/share/centreon
Alias /centreon /usr/share/centreon/www/

<LocationMatch ^/centreon/(?!api/latest/|api/beta/|api/v|0-9]+/|api/vi0-9]+\.+0-9]+/)(.*\.php(/.*)?)$>
    ProxyPassMatch fcgi://127.0.0.1:9042/usr/share/centreon/www/$1
</LocationMatch>

<LocationMatch ^/centreon/(authentication|api/(latest|beta|vi0-9]+|vt0-9]+\.[0-9]+))/.*$>
    ProxyPassMatch fcgi://127.0.0.1:9042/usr/share/centreon/api/index.php/$1
</LocationMatch>

ProxyTimeout 300

<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:443>
#####################
# SSL configuration #
#####################
    SSLEngine On
    SSLProtocol All -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ADH:!IDEA
    SSLHonorCipherOrder On
    SSLCompression Off
    SSLCertificateFile /etc/pki/tls/certs/centreon.archimede.net.crt
    SSLCertificateKeyFile /etc/pki/tls/private/centreon.archimede.net.key

    <IfModule mod_security2.c>
        # https://github.com/SpiderLabs/ModSecurity/issues/652
        SecRuleRemoveById 200003
    </IfModule>

    <Directory "/usr/share/centreon/www">
        DirectoryIndex index.php
        Options Indexes
        AllowOverride all
        Order allow,deny
        Allow from all
        Require all granted
        <IfModule mod_php5.c>
            php_admin_value engine Off
        </IfModule>

        FallbackResource /centreon/index.html

        AddType text/plain hbs
    </Directory>

    <Directory "/usr/share/centreon/api">
        Options Indexes
        AllowOverride all
        Order allow,deny
        Allow from all
        Require all granted
        <IfModule mod_php5.c>
            php_admin_value engine Off
        </IfModule>

        AddType text/plain hbs
    </Directory>

    <Location /centreon>
       AuthType Kerberos
       AuthName "Kerberos Login"
       KrbServiceName HTTP/centreon.archimede.net@ARCHIMEDE.NET
       RequestHeader set X-Remote-User %{REMOTE_USER}s
       KrbMethodNegotiate On
       KrbMethodK5Passwd Off
       KrbSaveCredentials Off
       KrbVerifyKDC On
       KrbAuthRealms ARCHIMEDE.NET
       Krb5KeyTab /etc/centreon.archimede.net.keytab
    </Location>

</VirtualHost>

RedirectMatch ^/$ /centreon


Now if we access to https://centreon.archimede.net you should be connected automatically on your Centreon \o/


You can also use some RequireAny in the <Location /Centreon> to bypass the webSSO and still use the basic authentication on your Centreon:

<RequireAny>
       Require expr "(%{HTTP_HOST} =~ /.*servernamewithoutdomain.*/)"
       Require expr "(!%{HTTP_USER_AGENT} =~ .*Mozilla.*AppleWebKit.*Chrome.*Safari.*/)"
       Require valid-user
</RequireAny>


Here for example, if I access to my server using servernamewithoutdomain FQDN, the WebSSO will be bypass and I can connect using a local user like admin.

The same if my user agent is different compare to the basic user agent (like a curl) the WebSSO is bypassed and I can use the classic mechanism for authentitication.

 

See also

Many thank to “L’atelier de Kermith” and this article.

Thx Pierre,

I was searching for a solution to bypass sso in an autologin context.

Thx for the hint with RequireAny directive, I’m going to test that asap !

jfr

Hello, thanks for this topic

i have a question about Red Hat Enterprise Linux release 8

it seems there is no more kerberos module for Apache

and even they were installed by default, i can not load them .

Do you have any clue ?

Thanks in advance

 apachectl configtest
AH00526: Syntax error on line 80 of /etc/httpd/conf.d/10-centreon.conf:
Invalid command 'KrbServiceName', perhaps misspelled or defined by a module not included in the server configuration
 

I think 2 solutions are possibles as the kerberos module is no more available for httpd in RHEL-8

A minimal configuration is the following.

Raw

<Location /gssapi>
    AuthType GSSAPI
    AuthName "GSSAPI Single Sign On Login"
    GssapiCredStore keytab:/etc/httpd/jboss-all.keytab
    Require valid-user
</Location>

If mod_session is needed some more options are needed in the location (now a cookie will be set and no more re-negotiations will be executed).

Raw

<Location "/gssapi">
    AuthType GSSAPI
    AuthName "GSSAPI Single Sign On Login"
    GssapiCredStore keytab:/etc/httpd/jboss-all.keytab
    GssapiUseSessions On
    Session On
    SessionCookieName gssapi_session path=/gssapi;httponly;
    Require valid-user
</Location>

hello

I tested this implementation (centos7) but it does not work in version 22.10 do you have a solution, have you tested with 22.10

in the http logs i have this : “AuthType configured with no corresponding authorization directives”

 

Reply


Terms & ConditionsCookie settings