mod_auth_gssapi.git, branch s4u2proxy A GSSAPI based replacement for the aging mod_auth_kerb. Add S4U2Proxy support 2014-07-20T12:38:14+00:00 Simo Sorce simo@redhat.com 2014-07-10T10:53:00+00:00 5401c93b3d84a58357ccf8321ffe165aabca8656 SU2Proxy support is enabled when GssapiUseS4U2Proxy is set to On When S4U2Proxy is enabled GssapiDelegCcacheDir is used to determine where delegated credentials are stored. The ccache type used is always of type FILE and is located in the provided directory (defaults to /tmp). The credentials are stored in a file named after the client credentials so the directory SHOUL NOT be world writeable if a mutiuser system is used as ccache file names are predictable. 
SU2Proxy support is enabled when GssapiUseS4U2Proxy is set to On
When S4U2Proxy is enabled GssapiDelegCcacheDir is used to determine
where delegated credentials are stored. The ccache type used is always
of type FILE and is located in the provided directory (defaults to /tmp).
The credentials are stored in a file named after the client credentials
so the directory SHOUL NOT be world writeable if a mutiuser system is
used as ccache file names are predictable.
Add permanent session keys support 2014-07-10T10:52:55+00:00 Simo Sorce simo@redhat.com 2014-07-07T15:42:57+00:00 6e86569afd4812f5674810ab66ee67fd5251d538 Keys (encryption+MAC) can now be stored in apache configuration. The key must be a base64 encoded blob of original length of 32 bytes (16 bytes for encryption and 16 for the MAC key) The format is: key:<base64 blob> 
Keys (encryption+MAC) can now be stored in apache configuration.
The key must be a base64 encoded blob of original length of 32 bytes
(16 bytes for encryption and 16 for the MAC key)

The format is:
key:<base64 blob>
Add mod_session support 2014-07-10T10:47:18+00:00 Simo Sorce simo@redhat.com 2014-04-21T20:36:56+00:00 63dbb99337d0423253cb1ead0dcc3da54af5d13e By setting GssapiUseSessions we enable the module to store a bearer token with the user and gss names in the client, this way we can allow clients to perform authentication once but then remain authenticaed for the duration of the session or until the original credentials expire. The Secure cookie used to store the token is encrypted using a randomly generated AES key at process startup. This means multiple apache servers will not be able to use the same cookie, however the client will reauth transparently if the cookie cannot be read. 
By setting GssapiUseSessions we enable the module to store a bearer
token with the user and gss names in the client, this way we can allow
clients to perform authentication once but then remain authenticaed
for the duration of the session or until the original credentials expire.

The Secure cookie used to store the token is encrypted using a randomly
generated AES key at process startup. This means multiple apache servers
will not be able to use the same cookie, however the client will reauth
transparently if the cookie cannot be read.
Add mod_auth_gssapi.h 2014-07-10T10:40:00+00:00 Simo Sorce simo@redhat.com 2014-07-10T09:43:55+00:00 342cea568dc94ed0d35dca27a90fc704d0424da1 Move all includes into it and also include config.h which was missing causing some ifdefed code not to be compiled. Also address includes conflict between httpd.h and config.h and the PACKAGE_* variables. 
Move all includes into it and also include config.h which was missing
causing some ifdefed code not to be compiled.
Also address includes conflict between httpd.h and config.h and the
PACKAGE_* variables.
Fix typo 2014-04-24T19:35:29+00:00 Simo Sorce simo@redhat.com 2014-04-24T19:35:22+00:00 197cf29a4ed19e6ec3a3e73e4798d4c114b428b0 






Use more readable configuration option names.
2014-04-21T15:00:11+00:00

Simo Sorce
simo@redhat.com

2014-04-21T15:00:11+00:00

1351170e9d7d58436ed52a5f9941bd51f3e1e1ac












Simplify configure.ac and makefile.am files
2014-04-16T01:44:49+00:00

Simo Sorce
simo@redhat.com

2014-04-16T01:08:52+00:00

122e879f09cd94d791e0f32141544dacc96bb135

Remove unnecessary cruft, that was only making things harder to read.





Remove unnecessary cruft, that was only making things harder to read.







Use appropriate flags so make dist works
2014-04-16T00:58:15+00:00

Simo Sorce
simo@redhat.com

2014-04-16T00:54:47+00:00

82b32d097d2e3f4e5b9c9f6c87a5ca016139d562

On my system I have high UIds, without tar-pax make dist fails.
Also add other useful parameters





On my system I have high UIds, without tar-pax make dist fails.
Also add other useful parameters







Set context data on the pool with a destructor
2014-04-16T00:53:15+00:00

Simo Sorce
simo@redhat.com

2014-04-16T00:50:36+00:00

574d469f451f2c68809c56a3a8c905a7800df33d

This way the context is available for the duration of the connection.
It is also properly freed if the connection is interrupted before the context
is fully established.





This way the context is available for the duration of the connection.
It is also properly freed if the connection is interrupted before the context
is fully established.







Fix use after free
2014-04-12T22:18:38+00:00

Simo Sorce
simo@redhat.com

2014-04-10T05:22:46+00:00

2d095d268ca359728d54d173c0a6943647e02a5b

On errors mc->ctx would be left pointing at the freed context,
make sure it is cleared if we delete the context.





On errors mc->ctx would be left pointing at the freed context,
make sure it is cleared if we delete the context.