I have Kerberos-based authentication and I want to disable it on only root url: http://mysite.com/. And I want it to continue to work fine on any other page like http://mysite.com/page1.

I have such things in my .htaccess:

AuthType Kerberos
AuthName "Domain login"
KrbAuthRealms DOMAIN.COM
KrbMethodK5Passwd on
Krb5KeyTab /etc/httpd/httpd.keytab
require valid-user

I want to turn it off only for root URL. As workaround it is possible to turn off using .htaccess in virtual host config. Unfortunately I don't know how to do it.

Part of my vhost.conf:

    <Directory /home/user/www/current/public/>
            Options -MultiViews +FollowSymLinks
            AllowOverride All
            Order allow,deny
            Allow from all

UPD. I'm using Apache/2.2.3 (Linux/SUSE)

I tried to use such version of .htaccess:

SetEnvIf Request_URI ^/$ rootdir=1
Allow from env=rootdir
Satisfy Any
AuthType Kerberos
AuthName "Domain login"
KrbAuthRealms DOMAIN.COM
KrbMethodK5Passwd on
Krb5KeyTab /etc/httpd/httpd.keytab
require valid-user

Unfortunately such config turn Kerberos AuthType for all URLs. I tried to place first 3 lines

SetEnvIf Request_URI ^/$ rootdir=1
Allow from env=rootdir
Satisfy Any

after main block, but it didn't help me.

I moved mod_auth_kerb configuration to vhost.conf. And used Location directive to turn off authorisation on some URLs.

    # root_url
    <LocationMatch "(^\/$|^$)">
            Satisfy Any
    <Location /incidents/last>
            Satisfy Any

    <Directory /home/user/www/>
            Options -MultiViews +FollowSymLinks
            AllowOverride None
            Order allow,deny
            Allow from all
            AuthType Kerberos
            AuthName "Domain login"
            KrbAuthRealms DOMAIN.COM
            KrbMethodK5Passwd On
            Krb5KeyTab /etc/httpd/httpd.keytab
            require valid-user

That solved my problem.

How you do this will depend on whether you are using Apache 2.2 or Apache 2.4. I haven't actually tested these so it's entirely possible that it won't work at all or may need some tweaking.

For 2.2 we can use SetEnvIf to set a variable if they are requesting / and use Allow from and Satisfy any to control access. All of your existing config should stay as it is:

SetEnvIf Request_URI ^/$ rootdir=1
Allow from env=rootdir
Satisfy Any

With 2.4 there are changes to authentication and authorisation. We now have a set of <Require> blocks which you can wrap around any access control to fine-tune authorisation:

SetEnvIf Request_URI ^/$ rootdir=1

  AuthType Kerberos
  AuthName "Domain login"
  KrbAuthRealms DOMAIN.COM
  KrbMethodK5Passwd on
  Krb5KeyTab /etc/httpd/httpd.keytab
  Require valid-user
  Require env rootdir=1

The <RequireAny> block means that any one of the Require directives must match for authorisation to succeed. There are also <RequireAll> and <RequireNone> blocks.

  • I have Apache/2.2.3 (Linux/SUSE) installed. Unfortunately your solution for 2.2 doesn't work. I tried to add 3 lines from first block and it turned Kerberos-auth off on any page. I noticed that `Satisfy Any` itself turn off other auth-rules on any url. And first two lines didn't work without `Satisfy Any` – petRUShka Jul 03 '12 at 16:06
  • Could you update your question with the config you tried? – Ladadadada Jul 03 '12 at 16:30
  • I updated body of quiestion – petRUShka Jul 03 '12 at 16:50
  • It could be that it's in a `.htaccess` file. I'm not sure if the Request_URI variable gets the directory treatment but in case it does, could you try with `SetEnvIf Request_URI ^$ rootdir=1` instead? – Ladadadada Jul 03 '12 at 17:01
  • Thanks for help, but I solve my problem via Location directive (see my own answer) – petRUShka Jul 05 '12 at 08:47
  • By the way big thanks for `Satisfy Any` – petRUShka Jul 05 '12 at 08:47

Try AllowOverride None It will disable the .htacess

Amit Singh
  • What you said is correct but it doesn't answer the question. What he's trying to do is disable Kerberos authentication for the root of the site only. It's worth reading the whole question and not just the title. – Ladadadada Jul 03 '12 at 09:00