mod_auth_gssapi.git, branch client_reauth A GSSAPI based replacement for the aging mod_auth_kerb. Pack session data 2015-05-05T20:55:33+00:00 Simo Sorce simo@redhat.com 2015-05-05T20:55:33+00:00 675e965f6449922ae1354012bb78b7df2e00e33d This prevent any parsing ambiguity and also allow to easily expand the data saved by simply adding more fields when packing the data. 
This prevent any parsing ambiguity and also allow to easily expand
the data saved by simply adding more fields when packing the data.
Forcibly reset credentials on client request 2015-05-05T17:43:19+00:00 Simo Sorce simo@redhat.com 2015-04-19T20:47:28+00:00 219c9b85f4a4ae04d6578384ba7ff37e3b3f113d If a client, by its own initiative, decides to try to reset the credential status by sending an Authorization header, let's oblige and kill the current authorization context. In a connection oriented case we kill the GSS context, and if sessions are in use we set an expired, NULL session, so that the client will be effectively logged out unless a complete authentication is performed again. 
If a client, by its own initiative, decides to try to reset the
credential status by sending an Authorization header, let's oblige
and kill the current authorization context.

In a connection oriented case we kill the GSS context, and if
sessions are in use we set an expired, NULL session, so that the
client will be effectively logged out unless a complete authentication
is performed again.
Export variable with session expiration time 2015-05-05T17:41:29+00:00 Simo Sorce simo@redhat.com 2015-05-05T17:36:04+00:00 fafb5384785c76c1f96cc689677574cfe459f3b6 Closes #16 
Closes #16
Revert "Use aes-256-gcm rather than aes-128-cbc" 2015-04-23T18:51:00+00:00 Simo Sorce simo@redhat.com 2015-04-23T18:51:00+00:00 b88a443caf2e96814fa831fa62fe2022bf0c8f08 This reverts commit e9c92795d87a316ea47f6bf37c9636e86eec57e7. AESGCM is a neat idea but it is not really appropriate to be used in mod_auth_gssapi because we cannot gurantee that the nonce will never be reused. It is not very probable, and it is also not easy to force the server to generate so many encyrpted sessions to have a good chance of a collision that I know of, but better to avoid the whole issue, than risk unforseen cases where it may happen. 
This reverts commit e9c92795d87a316ea47f6bf37c9636e86eec57e7.

AESGCM is a neat idea but it is not really appropriate to be used in
mod_auth_gssapi because we cannot gurantee that the nonce will never be
reused. It is not very probable, and it is also not easy to force the
server to generate so many encyrpted sessions to have a good chance of
a collision that I know of, but better to avoid the whole issue, than
risk unforseen cases where it may happen.
Bump version to 1.2.0 2015-04-21T15:48:38+00:00 Simo Sorce simo@redhat.com 2015-04-21T15:48:38+00:00 98c182823c31529f70a8931dcdaf4c38db395d87 






Properly complete context establishment
2015-04-19T19:59:51+00:00

Simo Sorce
simo@redhat.com

2015-04-19T19:59:51+00:00

983ac18b86eb0059274692690e0cf925549174ac

On success do not forget to send the last negotiate packet (if any)
to the client within the 200 Reply.

Fixes #21





On success do not forget to send the last negotiate packet (if any)
to the client within the 200 Reply.

Fixes #21







Add support for delegate creds on basic auth
2015-04-14T17:52:05+00:00

Simo Sorce
simo@redhat.com

2015-04-14T17:52:05+00:00

0cea28e5b05b340bbb3b2b60e3a326a6a7d1fcb0

When doing fallback basic auth, we may also want to honor the
configured directive about storing delegated credentials.
Detect if we are configured to store them and set the appopriate
init_sec_context flag that will cause the accept_sec_context call
to get valid delegated credentials for later storage.





When doing fallback basic auth, we may also want to honor the
configured directive about storing delegated credentials.
Detect if we are configured to store them and set the appopriate
init_sec_context flag that will cause the accept_sec_context call
to get valid delegated credentials for later storage.







Bump version to 1.1.1
2015-04-02T22:00:51+00:00

Simo Sorce
simo@redhat.com

2015-04-02T22:00:51+00:00

384f937f4cd9c7c09ed9226b620fe33912fe46e5












Handle authentication on subrequests
2015-03-31T16:18:05+00:00

Simo Sorce
simo@redhat.com

2015-03-30T16:48:30+00:00

e5db7c1f5738c7874e73869a2f4511193f956b81

In some cases (like during directory listing) Apache will re-run the
authentication code. Many GSSAPI mechanism have replay detection so
we cannot simply rerun the accept_sec_context phase. Others require
multiple steps. When authntication has already been estalished just
implicitly consider the authentication successfully performed and
copy the user name. Otherwise fail.
If a subrequest hits a location with a different mod_auth_gssapi
configuration warn but do not error off right away.

Fixes #15





In some cases (like during directory listing) Apache will re-run the
authentication code. Many GSSAPI mechanism have replay detection so
we cannot simply rerun the accept_sec_context phase. Others require
multiple steps. When authntication has already been estalished just
implicitly consider the authentication successfully performed and
copy the user name. Otherwise fail.
If a subrequest hits a location with a different mod_auth_gssapi
configuration warn but do not error off right away.

Fixes #15







Escape principal name to remove the path separator
2015-03-26T20:43:11+00:00

Simo Sorce
simo@redhat.com

2015-03-26T20:30:56+00:00

286e3dac69c3d4b32db93de1f9937f434383588f

The principla name is used as a file name, any embedded path separators
are going to cause trouble if used in the file name, so we need to escape
them away. Usee ~ as the escape chracter (~~ to escape ~ itself)

Fixes #14





The principla name is used as a file name, any embedded path separators
are going to cause trouble if used in the file name, so we need to escape
them away. Usee ~ as the escape chracter (~~ to escape ~ itself)

Fixes #14