| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Keys (encryption+MAC) can now be stored in apache configuration.
The key must be a base64 encoded blob of original length of 32 bytes
(16 bytes for encryption and 16 for the MAC key)
The format is:
key:<base64 blob>
|
|
|
|
|
|
|
|
|
|
|
|
| |
By setting GssapiUseSessions we enable the module to store a bearer
token with the user and gss names in the client, this way we can allow
clients to perform authentication once but then remain authenticaed
for the duration of the session or until the original credentials expire.
The Secure cookie used to store the token is encrypted using a randomly
generated AES key at process startup. This means multiple apache servers
will not be able to use the same cookie, however the client will reauth
transparently if the cookie cannot be read.
|
| |
|
| |
|
|
|
|
| |
Remove unnecessary cruft, that was only making things harder to read.
|
|
|
|
|
| |
On my system I have high UIds, without tar-pax make dist fails.
Also add other useful parameters
|
|
|
|
|
|
| |
This way the context is available for the duration of the connection.
It is also properly freed if the connection is interrupted before the context
is fully established.
|
|
|
|
|
| |
On errors mc->ctx would be left pointing at the freed context,
make sure it is cleared if we delete the context.
|
|
|
|
|
|
|
|
| |
The token was being trunkated as the total length should have been:
replen + 10
Just remove this line, apr_base64_encode() already properly terminate
the buffer.
|
| |
|
|
|
|
| |
Obey the GSSSSLOnly setting.
|
|
|
|
|
|
|
|
|
|
|
| |
This means the authentication is not repeated for every request but
is retained for the life of the connection.
This may be a security issue if a frontend proxy shares connections
between multiple users so must be used with care.
RFC 4559 warns that clients should not try SPNEGO if such a proxy
is present. Unfortuntely the RFC assumes a non-standard method to
determine if a proxy maintain separate connections.
|
|
|
|
|
|
| |
The module structure name used throughout the code didn't match the
name of the initialized structure, so the one used was always
uninitialized.
|
|
|
|
|
|
|
| |
Always preserves the received name in GSS_NAME.
In the kereberos case this will result in the environment variable
called GSS_NAME the user's principal, while REMOTE_USER will contain
the user name as mapped by the kerberos library.
|
| |
|
| |
|
| |
|
| |
|
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|