| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
This code allows to specify which attributes in a name are interesting
to the application and set them as named environemnt variables.
Optionally the whole set of attributes can be exported in a json
formatted structure.
Signed-off-by: Simo Sorce <simo@redhat.com>
Close #62
Close #63
|
|
|
|
|
|
| |
In preparation for the next commit.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
If the session is expired, then set established to false to
force re-authentication.
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #57
|
|
|
|
|
|
|
| |
On September 3rd, 1976 the Viking 2 lander separates from the orbiter and
lands at Utopia Planitia on Mars...
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #56
|
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #55
|
|
|
|
|
|
|
|
| |
A check inversion in 86661d07812b010b8cf664c2dab596be15ff1e31 caused
the specified session key to be ignored and a crash when none was
specified.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If gssapi/gssapi_ntlmssp.h is not available simply disable NTLMSSP.
Coauthored
Signed-off-by: Dennis Schridde <dennis.schridde@uni-heidelberg.de>
Signed-off-by: Simo Sorce <simo@redhat.com>
Closes #52
Closes #53
Closes #54
|
|
|
|
|
|
|
|
|
| |
Add symlink to .md so the markdown is picked up.
Updated styling and fixed a couple of typos.
Simo: Changed rename into a symlink. Reworded commit message
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #51
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add appropairate authorization headers to test with SPNEGO too as
discussed in #48
Requires recent version of python-gssapi module, see:
https://github.com/pythongssapi/python-gssapi/pull/74
Simo: Squashed original patches in one, removed trailing whitespaces
and reworded the commit message.
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #49
|
|
|
|
|
|
|
|
|
|
| |
The /tmp directory can lead to bugs and DoS of the apache process
because any user on the system can block the creation of predictable
file names.
Simply error out if GssapiDelegCcacheDir is not explicitly set.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This avoids a potential race condition if the first 2 request come in at the
same time. It also avoids issues with forked apapche processes which may end
up with different keys per fork.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This code has been changed to use apr pools for memory allocation, so the
error path is wrong as free() is not called on malloc()ed memory anymore.
Remove the calls to free(), the mempool is clean up by callers.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
Add test for second user on the same connection with the password
of the first user and without auth at all.
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #48
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
Proxy auth headers are a little different.
Sessions cannot be used as we cannot set a cookie.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Make sure each request is authenticated according to given credentials
even when GssapiConnectionBound is set.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This lets browsers to fall back to basic auth if supported
(similar to 4e7967e797e5c8912a67c0de8f172bb95b5172ff).
Add boolean param to is_mech_allowed which denotes whether
the caller supports multiple step.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to check if a mech is allowed against the desired_mechs set.
Otherwise in case the admin does not explicitly specify an allowed set
then all mechs are allowed, including NTLM. This causes annoying issues
with browsers like Firefox and Chrome/ium which end up popping up an
authentication dialog if they see NTLM is supported and they have no
Kerberos tickets around.
Authentication will then simply fail because NTLM is not actually supported.
By using desired_mechs we use a list of mechanism the machine actually
has a chance to support in the default case.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
Let's celebrate with a new releae which is long overdue.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This avoids the need to retrieve the list on every auth attempt,
and then free it every time.
Implemented by adding a server config struct and populating
it at server init with gss_indicate_mechs().
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
We need to fail only if the input was an actual set and instead we
get back GSS_C_NO_OID_SET. In all other cases we are fine.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This helps to detect mis-configurations early.
Configuration errors are considered fatal in apache anyway.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
Requires various python packages nd the cwrap project's scoket_wrapper
and nss_wrapper tools, as well as the krb5kdc and the httpd server and
related modules (like mod_session).
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Use gss_str_to_oid so OIDs can be used to set arbitrary mechanism in
allow lists like GssapiAllowedMech or GssapiBasicAuthMech.
Closes #46
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Instead of acquiring creds by looping at each round, use
gss_inquire_cred_by_mech() to work around the union_name issue and
get the correct per-mechanism server name.
Closes #45
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Check if the krb5 mechanism is present and only then set the cache, this
avoid wasteful operations if we are not even using krb5.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This option allows to set a different list of mechanisms to use
with Basic Auth (Basic Auth must be explicitly enabled) than the
list of mechs that are allowed with Negotiate or Raw GSSAPI Client
authentication.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Try each allowed mechanism explicitly in a loop including sourcing
the server name per mechanism to insure the proper name type is
used in the accept.
Otherwise secondary mechanims will fail to work.
Fixes #43
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If no explicit allowed mechanism is set in configuration just ask
GSSAPI for a list of known mechanisms and use that. Do not try to
artificially acquire credentials as ultimatily all that does is
just call gss_inidicate_mechs() internally.
Do not store the result of gss_inidicate_mechs() on cfg->allowed_mechs
as that would lead to a leak given that cfg->allowed_mechs is allocated
on a memory pool, while gss_inidate_mechs()s results are not.
Closes #44
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
Implemented by aqcuiring creds only for allowed_mechs and by
explicity adding spnego to the allowed_mechs set (while still
restricting spengo only to the allowed mechanism as before).
|
|
|
|
|
|
|
|
|
|
|
|
| |
When connection bound authentication is used, we must deny access if
basci auth is used and a request does not have the basic auth header.
Basic auth authenticate each and every request, so if it is missing
this means such request is no more authenticated and we should not
allow access based on our cached metadata in this case.
Closes #41
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Consolidate and simplify AUTH BASIC Handling - Part 3.
By moving all the special operation one for auth basic into its own
segment we make the code simpler (less exceptions) and more readable.
Closes #39
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Consolidate and simplify AUTH BASIC Handling - Part 2.
By moving all the special operation one for auth basic into its own
segment we make the code simpler (less exceptions) and more readable.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Consolidate and simplify AUTH BASIC Handling - Part 1.
By moving all the special operation one for auth basic into its own
segment we make the code simpler (less exceptions) and more readable.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a pool just for the mag_conn structure, so that we can clear up
all the memory used when a reset is necessary.
This also fixes a segfault introduced by a previous patch where we mistakenly
zeroed the whole structure including the memory pool pointer, which needs to
be preserved.
Closes #40
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When re-using a context on a connection, a re-authentication request
may end up trying to use an established context handler to establish
a new context. This will fail with an error in GSSAPI.
Make sure to completely clean up the connection data when a brand
new authentication needs to happen so that no data is mistakenly
carried over.
Note this may leak a small amount of data, but only if authentication is
successful, so it is probably fine as is.
Closes #38
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
A previous commit mistakenly removed the jump to the end with a successful
error.
Example scenario that is fixed with this patch:
$ curl -v -u usera:passa http://myhost/ http://myhost/ --ntlm
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
Instead of using apr_pool_userdata_set() since we don't use apr_pool_userdata_get() with the mag_conn_ptr apr_pool_cleanup_register() seem cleaner.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
And some other cleanup adjusments.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Except for BASIC AUTH, if a client send an authorization header it
means it wants to re-check authentication.
So, if an authorization header is sent, go through the regular
path and do not set request variables based on the session data.
In case of Basic Auth we still use session data if user/pwd match
the stored hash.
Closes #22
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
mag_attempt_session() was being called too early.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
When the skey is generated on the fly, we will get an empty key on the very
first auth attempt. If that uses basic auth then we'll segfault when trying
to compute the hmac as we pass in a NULL key and immediately dereference it.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
Also fixes a segfault when mc->basic_hash.value is NULL
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
If sessions are enbled store a MAC of the password and use it to check
if the password is the same on follow-up requests. If it is, avoid the
whole gssapi dance and use the session data instead.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|