mod_auth_gssapi.git, branch rfc5929 A GSSAPI based replacement for the aging mod_auth_kerb. Experimental support for RFC5929 channel bindings 2014-03-26T03:17:35+00:00 Simo Sorce simo@redhat.com 2014-03-25T21:50:33+00:00 346bbdd8b12dd1dfc2acbd415a3aa07786e8b66b This code depends on a patch that has not yet been upstreamed in mod_ssl, it also require client support whichis not available in Firefox, unclear if available in Chrome or other similar browser. It is available on Windows systems when Extended Protection Authentication is enabled. 
This code depends on a patch that has not yet been upstreamed in mod_ssl,
it also require client support whichis not available in Firefox, unclear if
available in Chrome or other similar browser.

It is available on Windows systems when Extended Protection Authentication
is enabled.
Add normative reference documents 2014-03-26T00:54:14+00:00 Simo Sorce simo@redhat.com 2014-03-19T13:33:21+00:00 82c6eddc4dc60982db89fdc1f7a35bdd4465d324 






Implement checking for TLS connections
2014-03-13T20:02:03+00:00

Simo Sorce
simo@redhat.com

2014-03-13T20:02:03+00:00

66857a8e364591a3f28f47a61f893b400721e1a6

Obey the GSSSSLOnly setting.





Obey the GSSSSLOnly setting.







Allow context to be attached to the connection
2014-03-09T21:33:21+00:00

Simo Sorce
simo@redhat.com

2014-03-09T20:24:34+00:00

7454bf67ffe23a63fd530895b58f048f207b1e4f

This means the authentication is not repeated for every request but
is retained for the life of the connection.

This may be a security issue if a frontend proxy shares connections
between multiple users so must be used with care.
RFC 4559 warns that clients should not try SPNEGO if such a proxy
is present. Unfortuntely the RFC assumes a non-standard method to
determine if a proxy maintain separate connections.





This means the authentication is not repeated for every request but
is retained for the life of the connection.

This may be a security issue if a frontend proxy shares connections
between multiple users so must be used with care.
RFC 4559 warns that clients should not try SPNEGO if such a proxy
is present. Unfortuntely the RFC assumes a non-standard method to
determine if a proxy maintain separate connections.







Fix module name
2014-03-09T21:19:05+00:00

Simo Sorce
simo@redhat.com

2014-03-09T21:16:12+00:00

76a682eda05ce9f2705ccf17503fb3870b6b49ae

The module structure name used throughout the code didn't match the
name of the initialized structure, so the one used was always
uninitialized.





The module structure name used throughout the code didn't match the
name of the initialized structure, so the one used was always
uninitialized.







Add option to map GSS Name to local Name
2014-03-08T19:57:42+00:00

Simo Sorce
simo@redhat.com

2014-03-08T19:23:28+00:00

60509195fb41173ba8e6cfac8bf800935ebb86ad

Always preserves the received name in GSS_NAME.
In the kereberos case this will result in the environment variable
called GSS_NAME the user's principal, while REMOTE_USER will contain
the user name as mapped by the kerberos library.





Always preserves the received name in GSS_NAME.
In the kereberos case this will result in the environment variable
called GSS_NAME the user's principal, while REMOTE_USER will contain
the user name as mapped by the kerberos library.







Use the cred_store extension to save credentials
2014-03-08T19:25:39+00:00

Simo Sorce
simo@redhat.com

2014-02-15T22:33:31+00:00

84983406874813aeeba1d5e45a020c516ccd1b7c












Fix warnings
2014-02-15T22:33:00+00:00

Simo Sorce
simo@redhat.com

2014-02-15T22:33:00+00:00

fc6a0e4d06efe0320a8ad53331633e7f9e869f53












Add initial configure scripts
2014-02-15T21:45:39+00:00

Simo Sorce
simo@redhat.com

2014-02-15T20:59:06+00:00

4b6ed2bfeeb912272e57fe9365cb175fd06ed6b0












Example apache module conf
2014-02-15T19:25:09+00:00

Simo Sorce
simo@redhat.com

2014-02-13T22:52:39+00:00

4758b76d90376d6a861dde76f9bf48b420c87d67