Use of this module:

#0 Configuration decisions:
	(1) client service
		You will be using mod_kct with another module or
		cgi-bin application which expects to use a k5 service
		key for a user.  Find out what service you are going to
		be using.
	(2) web server principal name.  You will need a keytab
		to identify the web server to kct - get this from
		your kerberos realm administrator.
	(3) add acl line to kct.  Kct must agree to hand out service
		tickets for user X based on your web server principal
		name Y.  Contact your kerberos realm administrators and
		make sure this is done.
	(4) In order to talk https, your web server must have a
		X509 public/private key.

#1 build mod_kct.
	If you're reading this, you probably already have
	the source, but you can also check out a copy this way:
		cvs -d /afs/umich.edu/group/itd/umich/cvs/kct co mod_kct

	2 strategies:
	A. build in apache source tree.

		( This is possible *only!* if you also build mod_ssl
		in the apache source tree. )

		cd <apache-root>
		cvs -d /afs/umich.edu/group/itd/umich/cvs/kct co -d src/modules/kct mod_kct
		ed src/Configuration.tmpl
		/mod_setenvif/a

		# grrr. this should not be a hand edit.
		# AddModule modules/kct/mod_kct.o
		.
		LDFLAGS="-R/pathto/krb5/lib -R/pathto-ssl/lib" \
		KRB5_BASE=/pathto/krb5/ \
		SSL_BASE=/pathto/ssl/ \
		./configure \
		--enable-module=kct \
		--enable-module=ssl \
		--enable-module=so \
		--enable-rule=EAPI \
		... other options as needed

		( make & install as usual. )

		The LDFLAGS= line should be altered or left out
		if either or both of ssl and kerberos-5 do not have
		shared libraries in non-standard system locations.

		KRB5_BASE and SSL_BASE should not need to be specified
		(or may be set to STANDARD) if the base system has
		these standard (ie, under /usr not /usr/local.)

	B. build as separate module.

		cd <somewhere>
		cvs -d /afs/umich.edu/group/itd/umich/cvs/kct co mod_kct
		cd mod_kct
		sh configure \
LDFLAGS=-R/usr/k5/lib \
-R/afs/umich.edu/group/itd/umich/project/openssl-0.9.7-beta3/lib \
--with-ssl=/afs/umich.edu/group/itd/umich/project/openssl-0.9.7-beta3 \
--with-krb5=/usr/k5 \
--with-apxs=/usr/local/apache/bin/apxs \
--with-mod_ssl=/afs/umich.edu/group/itd/build/mdw/apache/sun4x_56/mod_ssl

	Edit makefile to point to your
	[1] local apache 1.3.* package (installed area not source),
	[2] favorite openssl include files and libraries, and
	[3] favorite kerberos 5 include files and libraries.
	The openssl library needs to have the hooks to capture the
	handshake (needs work).  Use "make" to build it.

	Very Important: mod_ssl *Must* be linked with the same
	ssl library, which must capture the handshake.

#2 build and configure mod_ssl.
	You may need to re-link mod_ssl with the ssl library that
	captures the handshake you used in step #1.

	You also need to configure ssl to ask for a client-side certificate.

	One way to do this is to add (inside <ifModule mod_ssl.c>)
	  SSLCACertificateFile conf/ssl.crt/billdo-clientca2.pem
	  SSLVerifyDepth  1
	  SSLVerifyClient optional
	The certificate path above must point to the cert/publickey
	that you expect to be used by kca as the issuer for your
	realm.

#3 Install the binary
	make mod_kct.so

	cp mod_kct.so /usr/local/apache/libexec/mod_kct.so
	Or you can say
	make install
	(which will also add a LoadModule line to /usr/local/apache/conf/httpd.conf,
	which is step 4, next.)

	The "make install" will insert the LoadModule in the WRONG
	place.  It must be occur in the file BEFORE the line that
	loads mod_ssl (so that it will be loaded AFTER), and it
	should be ifdef SSL.

#4 Actual configuration.  Edit httpd.conf .

	<IfModule mod_kct.c>
	kctengine <on|off>
	kctverifyclient <on|off>
	kctkeytab conf/web_server.<web server hostname>.keytab
	kctwsname web_server/<web server hostname>
	kctservicename afs
	kcttgsservicename kct
	kctkdcfullname krbtgt/<local realm>
	kcttgsserverhostname <first kdc fqdn>
	kcttgsserverport 5039
	kctkctcachename FILE:/tmp/web_server
	kctclientcacheprefix <prefix for user's cached credentials files>
	kcttgslifetime: 10h
	kctrealm <local realm>
	</IfModule>

	The keytab (kctkeytab) must contain a key for the principal
	named by kctwsname.  The kctwsname and kctservicename must
	agree with whatever's in acl's maintained by kct (XXX how
	is this done?)  kctservicename must identify a service ticket
	needed by your cgi script.  Sorry, this version can't get more
	than one service ticket (XXX FIXME).  Service tickets aren't
	good for more than 5 minutes -- this should be fine because
	generally cgi-bin scripts should be done within several seconds
	so this should not be a problem.

	You will also need to add this with the other module
	load lines:

	LoadModule kct_module         libexec/mod_kct.so

	It's probably best to list this *after* any other modules
	that expect to use k5 service tickets acquired by this module.

#5 Restart server and test.  Access something like
	https://web-server-name/cgi-bin/env
	see if -- what?  Currently (XXX FIXME) the client side
	credentials cache isn't exported (KRB5CCNAME).
	XXX for now -- look in /tmp/<uniqname> , and see if
	a fresh ticket exists there.  Also make sure /tmp/web_server
	contains both a krbtgt and also a ticket for kct.

#6
For use with AFS -- you'll need another module to do a pagsh
(such as mod_pagsh or mod_afs [XXX not yet done]), and you'll need
something to set tokens, such as gettoken or mod_afs.)

This software is
 Copyright (c) 2002
 The Regents of the University of Michigan
 ALL RIGHTS RESERVED

 permission is granted to use, copy, create derivative works
 and redistribute this software and such derivative works
 for any purpose, so long as the name of the university of
 michigan is not used in any advertising or publicity
 pertaining to the use or distribution of this software
 without specific, written prior authorization.  if the
 above copyright notice or any other identification of the
 university of michigan is included in any copy of any
 portion of this software, then the disclaimer below must
 also be included.

 this software is provided as is, without representation
 from the university of michigan as to its fitness for any
 purpose, and without warranty by the university of
 michigan of any kind, either express or implied, including
 without limitation the implied warranties of
 merchantability and fitness for a particular purpose. the
 regents of the university of michigan shall not be liable
 for any damages, including special, indirect, incidental, or
 consequential damages, with respect to any claim arising
 out of or in connection with the use of the software, even
 if it has been or is hereafter advised of the possibility of
 such damages.
