Currently, I'm using Apache to host my project repos (mercurial) and use Kerberos auth for users to push. The same Kerberos password is used to log in through SSH and there is a LDAP backend for user info (group, $HOME, default shell).
Now, I'm a bit paranoid and I want to periodically back up and push any changes I may have made where I may have forgotten to commit them.
I can do the commit just fine:
hg commit -u backup -m "Periodic commit"
However, I want to push and have it show up as the backup user.
I know one option is to create a new Kerberos user called backup and then I can push that way, but if my machine is ever compromised I don't want someone logging into my servers with the backup credentials.
I think that without a corresponding LDAP entry a the backup user should not be able to log in, but it leaves an unsettling feeling in my stomach.
That's all background information though. My question is, can I have both Kerberos and File based authentication in Apache? If so, how?
Here is the relevant part of my vhost.conf:
<Location /repos>
AuthType Basic
AuthName "repos"
AuthType Kerberos
KrbMethodNegotiate on
KrbMethodK5Passwd on
Krb5Keytab /path/to/keytab
KrbAuthRealms REALM.TLD
KrbServiceName http/[email protected]
KrbLocalUserMapping On
AuthLDAPUrl ldap://ldap/ou=People,dc=realm,dc=tld?uid
<LimitExcept Get>
Require valid-user
</LimitExcept>
</Location>
