# Testing Apache supporting the Negotiate authentication

## Prerequsities
    # apt-get install apache2-prefork-dev

## Build and install the mod_auth_gssapi module

### Checkout the code and build it
The CVS should be mirrored to the Moonshot repository, however, at the moment
a direct link to SourceForge is used:

    $ cvs -d :pserver:anonymous@modauthkerb.cvs.sourceforge.net:/cvsroot/modauthkerb co -r moonshot_branch mod_auth_kerb
    $ cd mod_auth_kerb
    $ autoconf
    $ ./configure && make
    # make install

### Configure the module
    # a2enmod auth_gssapi (or create the symlinks manually)

    # cat > /etc/apache2/conf.d/moonshot << EOF
    <Directory "/var/www/moonshot/">
        AuthType GSSAPI
        Require valid-user
        AddHandler cgi-script .cgi
        Options +ExecCGI
    </Directory>
    EOF

### Add a fake kerberos key to make the module happy
    # ktutil
    ktutil:  addent -password -p HTTP/localhost@PROJECT-MOONSHOT.ORG -k 1 -e aes256-cts
    ktutil:  wkt /etc/apache2/krb5.keytab
    ktutil:  quit
    chown www-data /etc/apache2/krb5.keytab
    # echo export KRB5_KTNAME=/etc/apache2/krb5.keytab >> /etc/apache2/envvars

    # /etc/init.d/apache2 restart

### Prepare a CGI to test the username gets passed
    # mkdir /var/www/moonshot
    # cat > /var/www/moonshot/hello.cgi << EOF
    #!/bin/sh
    echo "Content-Type: text/html"
    echo ""
    echo "You've been authenticated as \"\$REMOTE_USER\", congratulations."
    EOF

### Test the authentication using the simple client
    $ cd mod_auth_kerb/client && make
    $ ./http_client -m "{1.3.6.1.4.1.5322.22.1.18}" --user steve@local --password testing http://localhost/moonshot/hello.cgi
Should output a few lines of EAP debugging followed by:
    
    Negotiate done: {1.3.6.1.4.1.5322.22.1.18}
    Source: steve@local
    Target: HTTP/localhost@
    You've been authenticated as "steve@local", nice to meet you.