mod_auth_gssapi.git/README, branch master A GSSAPI based replacement for the aging mod_auth_kerb. Add option to set alternative ccname env var 2017-02-08T12:39:47+00:00 Fraser Tweedale ftweedal@redhat.com 2017-02-04T06:33:18+00:00 eb8ed98b9ba758a0c8db67151c18d1dd943e4289 In some cases (e.g. if you want to convey the ccname over AJP) the request environment variable name "KRB5CCNAME" is not appropriate. Add the GssapiDelegCcacheEnvVar option that allows the env var name to be changed. Fixes: https://github.com/modauthgssapi/mod_auth_gssapi/issues/123 Reviewed-by: Simo Sorce <simo@redhat.com> Closes #124 Closes #123 
In some cases (e.g. if you want to convey the ccname over AJP) the
request environment variable name "KRB5CCNAME" is not appropriate.
Add the GssapiDelegCcacheEnvVar option that allows the env var name
to be changed.

Fixes: https://github.com/modauthgssapi/mod_auth_gssapi/issues/123

Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #124
Closes #123
Add option to store the session encryption key. 2017-01-03T16:42:52+00:00 Simo Sorce simo@redhat.com 2016-12-16T14:43:25+00:00 e2a50ad80f55bf2a933ef177914caa5c7ac6f4a9 With the new 'file:' sytnax a session key can be automatically generated the first time mod_auth_gssapi runs and stored on the filesystem. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com> Closes #117 
With the new 'file:' sytnax a session key can be automatically generated
the first time mod_auth_gssapi runs and stored on the filesystem.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>

Closes #117
Add docs for new GssapiDelegCcachePerms option 2016-12-01T10:46:15+00:00 Simo Sorce simo@redhat.com 2016-11-30T11:27:34+00:00 64b4fcf525abc4c1b08e67cb054a6b4ccdef8a08 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Closes #113 
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Isaac Boukris <iboukris@gmail.com>
Closes #113
Add support for GssapiImpersonate. 2016-06-09T14:11:43+00:00 Jan Pazdziora jpazdziora@redhat.com 2016-05-28T06:31:32+00:00 d1710aff7c72263f691f09f20f91922a3ce57cfc This is can be enabled on locations that are authenticated by another module to obtain a ticket for the user, so that the application gets access to krb5 credentials and all named attributes for the client. The service needs to be authorized by the KDC if there is the need to use credentials for further ticket acquisition by setting the ok_to_auth_as_delegate flag on the service principal. This will provide a forwardable ticket that can be used to obtain additional tickets via consrained delegation (also subkect to KDC access control). Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com> Close #92 
This is can be enabled on locations that are authenticated by another module
to obtain a ticket for the user, so that the application gets access to
krb5 credentials and all named attributes for the client.

The service needs to be authorized by the KDC if there is the need to use
credentials for further ticket acquisition by setting the
ok_to_auth_as_delegate flag on the service principal. This will provide a
forwardable ticket that can be used to obtain additional tickets via consrained
delegation (also subkect to KDC access control).

Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Close #92
Additional python modules are needed. 2016-06-06T15:30:55+00:00 Jan Pazdziora jpazdziora@redhat.com 2016-06-06T14:05:47+00:00 d7e3594d7952bf19f70f9fee0a24b5909191e904 Failed imports were found in tracebacks in ./scratchdir/tests.log. Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #89 
Failed imports were found in tracebacks in ./scratchdir/tests.log.

Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #89
The distribution does not ship ./configure, generate it. 2016-06-06T09:54:00+00:00 Jan Pazdziora jpazdziora@redhat.com 2016-06-06T07:41:48+00:00 401160bc57305929ca4c232f0246ef1159018c1e Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #88 
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #88
Clarify make test dependencies. 2016-06-02T14:14:15+00:00 Jan Pazdziora jpazdziora@redhat.com 2016-05-30T07:53:31+00:00 f78990a41e5b4beaec10315ac112dff2f00aedee Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #85 
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #85
Implement unique ccache names 2016-05-18T21:46:14+00:00 Robbie Harwood rharwood@redhat.com 2016-05-08T06:31:00+00:00 6a0bc4f5cd46b1ab85dba5bd2de28f568cc947b0 Unique ccache names may be requested using the GssapiDelegCcacheUnique configuration option. This option is off by default. If both unique ccache names and session use are enabled, then a mechanism for removing old ccaches must be supplied. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Also-authored-by: Petr Vobornik <pvoborni@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Unique ccache names may be requested using the GssapiDelegCcacheUnique
configuration option.  This option is off by default.  If both unique
ccache names and session use are enabled, then a mechanism for removing
old ccaches must be supplied.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Also-authored-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Cleanup s4u2proxy in mag_auth_basic 2016-02-18T01:44:36+00:00 Isaac Boukris iboukris@gmail.com 2016-02-16T23:21:25+00:00 5571d79a78a1360f2a56b22c6bf59640cf2c88e8 It doesn't have any effect since we set GSS_C_DELEG_FLAG when we initiate client credentials so we always get delegated TGT regardless of constrained delegation. This commit is not intended to change the current behaviour. See #70 Reviewed-by: Simo Sorce <simo@redhat.com> Closes #70 Closes #72 
It doesn't have any effect since we set GSS_C_DELEG_FLAG
when we initiate client credentials so we always get
delegated TGT regardless of constrained delegation.

This commit is not intended to change the current behaviour.

See #70

Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #70
Closes #72
Add option to not send a Negotiate headers 2016-02-17T23:59:31+00:00 James Groffen james.groffen@dsto.defence.gov.au 2016-01-08T06:31:50+00:00 f9cc36700c95a88ff7d7489167094556ac0e75cc If negotiation was attempted but failed do not send a new Negotiate header. Useful when only one single sign on mechanism is allowed and to avoid misleading login prompts in some browsers. Added a test of the GssapiDontReauth option to the test suite. Also added SPNEGO no auth test. [SS: reworded and fixed commit subject/comment] [SS: fixed whitespace errors and 80 column wrappings] Reviewed-by: Simo Sorce <simo@redhat.com> Close #65 
If negotiation was attempted but failed do not send a new Negotiate header.
Useful when only one single sign on mechanism is allowed and to avoid
misleading login prompts in some browsers.

Added a test of the GssapiDontReauth option to the test suite.
Also added SPNEGO no auth test.

[SS: reworded and fixed commit subject/comment]
[SS: fixed whitespace errors and 80 column wrappings]

Reviewed-by: Simo Sorce <simo@redhat.com>

Close #65