How to configure Kerberos on Centreon

  • 4 July 2022
  • 1 reply
  • 200 views

Userlevel 4
Badge +16

In this article we will implement authentication based on the Kerberos protocol to connect yours users to the Centreon web interface. This authentication will be performed by the apache web server and will use Centreon's Web SSO functionality.


This article is only valid for CentOS 7 and Centreon 21.10 version.
Some adaptation need be done when configure it on different OS or different version of Centreon (like the path, the package names and apache configuration).

 

 

Prerequisites
 

On Active directory

To integrate Apache with the Kerberos Authentication we will need 3 things:

  1. A Type A DNS record of the FQDN used to join your monitoring like: centreon.archimede.net

  2. Dedicated active directory user for our Keberos application (here Centreon) ;

  3. A principal and a keytab file that you create with the following command:

ktpass -princ HTTP/centreon.archimede.net@ARCHIMEDE.NET -mapuser ${KERBEROS_USERNAME}@ARCHIMEDE.NET -pass ${KERBEROS_PASSWORD} -crypto ${ENCRYPTION_TYPE} -ptype KRB5_NT_PRINCIPAL -out C:\Temp\centreon.keytab

This command will create a keytab file with the following information:

  • The principal, here HTTP/centreon.archimede.net (even if we used https on our server, it’s still HTTP) ;

  • Bind to the dedicated user ;

  • The type of encryption ;

Be careful with the lower and upper case, the keytab file is case sensitive. So please use the domain in upper case and the FQDN in lower case !

You can now retry the keytab file and copy on your central server.

 

On your web browser

Here a good article (thanks to it) on how to configure your web browser.

 

Configuration of the Central Server
 

Kerberos Configuration

Once the keytab file is copy on the central server, you can copy in /etc/ and change the permission using the following command:

chown apache:root centreon.archimede.net.keytab
chmod 640 centreon.archimede.net.keytab

Then install the following package:

yum install httpd24-mod_auth_kerb.x86_64

Now we can configure the kerberos information on the central by editing the file /etc/krb5.conf:

If you need more information about the Kerberos, you can find the official documentation here

In a nutsheel:

  • KDC: The name or the address of your domain controller (most of the time).
  • admins_server: the name or the address or your master Kerberos server (most of tthe time it’s also the domain controller).
  • domain_realm: looks very close to your domain in fact.


Test your Kerberos Configuration

To be sure that your Centreon server can interact with your kerberos environment, you can try to get a kerberos ticket for your user own user:

kinit kriko@ARCHIMEDE.NET
Password for kriko@ARCHIMEDE.NET:

 Then the command klist should return you something like this:

#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kriko@ARCHIMEDE.NET

Valid starting Expires Service principal
04/05/2022 12:47:58 04/05/2022 22:47:58 krbtgt/ARCHIMEDE.NET@ARCHIMEDE.NET
renew until 04/12/2022 12:47:55

Now we can try to get a ticket for the Service Principal:

kvno HTTP/centreon.ARCHIMEDE.NET@ARCHIMEDE.NET

Then the command klist should return you something like this:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kriko@ARCHIMEDE.NET

Valid starting Expires Service principal
04/05/2022 12:47:58 04/05/2022 22:47:58 krbtgt/ARCHIMEDE.NET@ARCHIMEDE.NET
renew until 04/12/2022 12:47:55
04/05/2022 12:48:40 04/05/2022 22:47:58 krbtgt/ARCHIMEDE.NET@ARCHIMEDE.NET
renew until 04/12/2022 12:47:55
04/05/2022 12:48:40 04/05/2022 22:47:58 HTTP/centreon.archimede.net@ARCHIMEDE.NET
renew until 04/12/2022 12:47:55

And then to check your keytab file, the following command should return nothing:

kinit -k -t /etc/centreon.archimede.net.keytab  HTTP/centreon.archimede.net@ARCHIMEDE.NET


Apache Configuration

Again this configuration is only for a Centreon 21.10 on CentOS 7, some adaptions need to be done for other version ;-)

All the configuration is done in /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf:

Alias /centreon/api /usr/share/centreon
Alias /centreon /usr/share/centreon/www/

<LocationMatch ^/centreon/(?!api/latest/|api/beta/|api/v[0-9]+/|api/v[0-9]+\.[0-9]+/)(.*\.php(/.*)?)$>
ProxyPassMatch fcgi://127.0.0.1:9042/usr/share/centreon/www/$1
</LocationMatch>

<LocationMatch ^/centreon/(authentication|api/(latest|beta|v[0-9]+|v[0-9]+\.[0-9]+))/.*$>
ProxyPassMatch fcgi://127.0.0.1:9042/usr/share/centreon/api/index.php/$1
</LocationMatch>

ProxyTimeout 300

<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:443>
#####################
# SSL configuration #
#####################
SSLEngine On
SSLProtocol All -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ADH:!IDEA
SSLHonorCipherOrder On
SSLCompression Off
SSLCertificateFile /etc/pki/tls/certs/centreon.archimede.net.crt
SSLCertificateKeyFile /etc/pki/tls/private/centreon.archimede.net.key

<IfModule mod_security2.c>
# https://github.com/SpiderLabs/ModSecurity/issues/652
SecRuleRemoveById 200003
</IfModule>

<Directory "/usr/share/centreon/www">
DirectoryIndex index.php
Options Indexes
AllowOverride all
Order allow,deny
Allow from all
Require all granted
<IfModule mod_php5.c>
php_admin_value engine Off
</IfModule>

FallbackResource /centreon/index.html

AddType text/plain hbs
</Directory>

<Directory "/usr/share/centreon/api">
Options Indexes
AllowOverride all
Order allow,deny
Allow from all
Require all granted
<IfModule mod_php5.c>
php_admin_value engine Off
</IfModule>

AddType text/plain hbs
</Directory>

<Location /centreon>
AuthType Kerberos
AuthName "Kerberos Login"
KrbServiceName HTTP/centreon.archimede.net@ARCHIMEDE.NET
RequestHeader set X-Remote-User %{REMOTE_USER}s
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbSaveCredentials Off
KrbVerifyKDC On
KrbAuthRealms ARCHIMEDE.NET
Krb5KeyTab /etc/centreon.archimede.net.keytab
</Location>

</VirtualHost>

RedirectMatch ^/$ /centreon


Now if we access to https://centreon.archimede.net you should be connected automatically on your Centreon \o/


You can also use some RequireAny in the <Location /Centreon> to bypass the webSSO and still use the basic authentication on your Centreon:

<RequireAny>
Require expr "(%{HTTP_HOST} =~ /.*servernamewithoutdomain.*/)"
Require expr "(!%{HTTP_USER_AGENT} =~ .*Mozilla.*AppleWebKit.*Chrome.*Safari.*/)"
Require valid-user
</RequireAny>


Here for example, if I access to my server using servernamewithoutdomain FQDN, the WebSSO will be bypass and I can connect using a local user like admin.

The same if my user agent is different compare to the basic user agent (like a curl) the WebSSO is bypassed and I can use the classic mechanism for authentitication.

 

See also

Many thank to “L’atelier de Kermith” and this article.


1 reply

Badge +1

Thx Pierre,

I was searching for a solution to bypass sso in an autologin context.

Thx for the hint with RequireAny directive, I’m going to test that asap !

jfr

Reply