Enabling NTLM authentication under RHEL/Apache

From Labrats.us
Revision as of 20:12, 4 October 2015 by Sfiggins (talk | contribs) (Created page with "== Background<br> == If you need your CGI scripts to know the remote (web client) user who is running IE under Windows, NTLM is a convenient protocol to use.  The user...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Background

If you need your CGI scripts to know the remote (web client) user who is running IE under Windows, NTLM is a convenient protocol to use.  The user will not need to enter his credentials.  The CGI script can access the username in the REMOTE_USER environment variable.

Note that NTLMv1 is vulnerable to cracking.  It was replaced with NTLMv2 in the Vista timeframe.

While there are many apparent alternatives to enable this functionality on RHEL/Apache servers, only one (at the time of this writing) cleanly supports NTLMv2 - a python module called PyAuthenNTLM2.

Install

Note that this procedure was done on a RHEL6/httpd (apache) box

Become root

yum install httpd-devel
yum install python-devel
yum install python-crypto
wget http://archive.apache.org/dist/httpd/modpython/mod_python-3.3.1.tgz
tar zxf mod_python-3.3.1.tgz
cd mod_python-3.3.1
vi src/connobject.c
  change
     b == APR_BRIGADE_SENTINEL(b)
  to
     b == APR_BRIGADE_SENTINEL(bb)
./configure --with-apxs=/usr/sbin/apxs
make
make install

cd ..
wget https://github.com/Legrandin/PyAuthenNTLM2/archive/master.zip
unzip master
cd PyAuthenNTLM2-master
python setup.py install

cd /etc/httpd/conf.d/
cat >ntlm2.conf
<Location />
        AuthType NTLM
        AuthName TWTELECOM
        require valid-user

        PythonAuthenHandler pyntlm
        PythonOption Domain TWTELECOM
        PythonOption PDC srvdendc5
        PythonOption BDC srvdendc1
</Location>
^D

(The AuthName is whatever you want.  The DCs should be near the server)


cd ../conf
vi httpd.conf
  Change
     KeepAlive Off
  To
     KeepAlive On

  At the end of the LoadModules section insert
     LoadModule python_module modules/mod_python.so

apachectl configtest

  (fix any errors and retry before continuing)

/etc/init.d/httpd restart
  (apachectl graceful doesn't quite do the job for whatever reason)

Test

cd /var/www/cgi-bin/
cat >whoami.cgi
#!/bin/sh
printf "Content-type: text/html\n\n$REMOTE_USER\n"
^D
chmod 755 whoami.cgi

On your Windows PC, using IE, open the url http://yourserver/cgi-bin/whoami.cgi
Verify that you windows username is displayed
If it isn't, follow the steps in:
  https://github.com/Legrandin/PyAuthenNTLM2#troubleshooting
Important: You must completely exit IE and bring it back up with each test