summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Insure the asn1 definitions are in the tarballSimo Sorce2016-06-151-0/+2
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Close #95
* Move context loops to a helper functionSimo Sorce2016-06-151-110/+72
| | | | | | | | This work simplifies the calling code and reduces duplication. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Reviewed-by: Isaac Boukris <iboukris@gmail.com> Close #94
* Postpone adding spnego mech to mech listSimo Sorce2016-06-091-23/+65
| | | | | | | | | | | Add the SPNEGO mech oid only if we are performing negotiate auth. This cacthes earlier, with a hard failure, the case where a mechanism defined on the command line is not available, by checking if there are any desired mechs. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Close #93
* Add support for GssapiImpersonate.Jan Pazdziora2016-06-093-1/+173
| | | | | | | | | | | | | | | | This is can be enabled on locations that are authenticated by another module to obtain a ticket for the user, so that the application gets access to krb5 credentials and all named attributes for the client. The service needs to be authorized by the KDC if there is the need to use credentials for further ticket acquisition by setting the ok_to_auth_as_delegate flag on the service principal. This will provide a forwardable ticket that can be used to obtain additional tickets via consrained delegation (also subkect to KDC access control). Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com> Close #92
* Split the book keeping operations into a functionSimo Sorce2016-06-091-48/+66
| | | | | | | | | This will be used in a following patch that perform gssapi operations using a different path but need to perform the same bookj keeping as the main auth path. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com>
* Fix cred cache detectionSimo Sorce2016-06-091-3/+6
| | | | | | | | | The stat call was not using the full path name, therefore it was always failing. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com> Close #91
* Fix function name spellingSimo Sorce2016-06-091-2/+2
| | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com> Close #90
* Additional python modules are needed.Jan Pazdziora2016-06-061-1/+2
| | | | | | | | Failed imports were found in tracebacks in ./scratchdir/tests.log. Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #89
* The distribution does not ship ./configure, generate it.Jan Pazdziora2016-06-061-0/+1
| | | | | | Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #88
* Clarify make test dependencies.Jan Pazdziora2016-06-021-3/+5
| | | | | | Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #85
* Do not use ap_hook_check_user_id on Apache 2.4Jan Pazdziora2016-06-021-0/+5
| | | | | | | | On Apache 2.4 this method is deprecated, use the recommended hook. Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #84
* Obey SessionMaxAge for session expirationMatt Rogers2016-05-251-0/+6
| | | | | | | | | Set the session and cookie expiration to the mod_session SessionMaxAge expiry time, if it is shorter than the credential lifetime. Signed-off-by: Matt Rogers <mrogers@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #82
* Add example script for ccache cleaning to contribRobbie Harwood2016-05-181-0/+66
| | | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #80
* Implement unique ccache namesRobbie Harwood2016-05-1810-34/+103
| | | | | | | | | | | Unique ccache names may be requested using the GssapiDelegCcacheUnique configuration option. This option is off by default. If both unique ccache names and session use are enabled, then a mechanism for removing old ccaches must be supplied. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Also-authored-by: Petr Vobornik <pvoborni@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Unify copyright conventionRobbie Harwood2016-05-189-30/+9
| | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* GSS-Proxy configuration file for mod_auth_gssapiRobbie Harwood2016-05-181-0/+6
| | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #81
* Fix APXS error "cannot determine bootstrap symbol name"Dennis Schridde2016-04-121-1/+1
| | | | | | | | | | | | | | | Maybe related to out-of-source builds? ``` test -d /target/usr/lib/apache2/modules || mkdir -p /target/usr/lib/apache2/modules /usr/bin/apxs2 -i -S LIBEXECDIR=/target/usr/lib/apache2/modules mod_auth_gssapi.la apxs:Error: Sorry, cannot determine bootstrap symbol name. apxs:Error: Please specify one with option `-n'. Makefile:725: recipe for target 'install-exec-local' failed ``` Reviewed-by: Simo Sorce <simo@redhat.com> Close #79
* Respect DESTDIR when installing Apache moduleDennis Schridde2016-04-121-2/+2
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Close #78
* Tests: use urandom instead of randomIsaac Boukris2016-04-121-1/+1
| | | | | | | Useful when running tests on VM with low entropy Reviewed-by: Simo Sorce <simo@redhat.com> Closexs #77
* Release 1.3.2 - NEAR Shoemaker launchSimo Sorce2016-02-222-2/+5
| | | | | | | On February 17th, 1996 the NEAR Shoemaker probe is launched. The first probe to soft-land on a Near Earth Asteroid (Eros). Signed-off-by: Simo Sorce <simo@redhat.com>
* Cleanup s4u2proxy in mag_auth_basicIsaac Boukris2016-02-172-18/+7
| | | | | | | | | | | | | | It doesn't have any effect since we set GSS_C_DELEG_FLAG when we initiate client credentials so we always get delegated TGT regardless of constrained delegation. This commit is not intended to change the current behaviour. See #70 Reviewed-by: Simo Sorce <simo@redhat.com> Closes #70 Closes #72
* Add option to not send a Negotiate headersJames Groffen2016-02-177-5/+152
| | | | | | | | | | | | | | | | If negotiation was attempted but failed do not send a new Negotiate header. Useful when only one single sign on mechanism is allowed and to avoid misleading login prompts in some browsers. Added a test of the GssapiDontReauth option to the test suite. Also added SPNEGO no auth test. [SS: reworded and fixed commit subject/comment] [SS: fixed whitespace errors and 80 column wrappings] Reviewed-by: Simo Sorce <simo@redhat.com> Close #65
* Corrected two typos in the README file.James Groffen2016-02-171-2/+2
| | | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Close #71
* Minor formatting changes to the README.James Groffen2016-02-031-7/+7
| | | | | | | | [Changes to original commit: removed trailing whitespace] Reviewed-by: Simo Sorce <simo@redhat.com> Closes #67
* Fix potential loop when requesting attribute data.Simo Sorce2016-01-141-1/+1
| | | | | | | | | | If this function fail we are better off abandoning the whole quest, continueing here may end us up in an infinite loop where the fucntion keeps failing w/o changing attr.more Thanks to Alejandro Perez for finding this flaw. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix build when cred store is not available.Simo Sorce2016-01-132-0/+4
| | | | | | Older distributions have versions of Kerberos that miss this feature. Signed-off-by: Simo Sorce <simo@redhat.com>
* Prevent potential null pointer dereferenceJames Groffen2016-01-111-0/+4
| | | | | | | | | | | This commit adds checks to ensure cfg->name_attributes is not null before it is used in mag_get_name_attributes. (Reworded commit message) Reviewed-by: Simo Sorce <simo@redhat.com> Close #64
* Add code to set attribute names in the environmentname_attrsSimo Sorce2015-12-035-3/+362
| | | | | | | | | | | | This code allows to specify which attributes in a name are interesting to the application and set them as named environemnt variables. Optionally the whole set of attributes can be exported in a json formatted structure. Signed-off-by: Simo Sorce <simo@redhat.com> Close #62 Close #63
* Move setting request data to a separate fileSimo Sorce2015-12-026-90/+94
| | | | | | In preparation for the next commit. Signed-off-by: Simo Sorce <simo@redhat.com>
* Negate established flag if session is expired.davisd1232015-10-051-0/+1
| | | | | | | | If the session is expired, then set established to false to force re-authentication. Reviewed-by: Simo Sorce <simo@redhat.com> Close #57
* Release 1.3.1 - Viking 2 landingSimo Sorce2015-09-032-2/+5
| | | | | | | On September 3rd, 1976 the Viking 2 lander separates from the orbiter and lands at Utopia Planitia on Mars... Signed-off-by: Simo Sorce <simo@redhat.com>
* Mention test dependencies in READMEDennis Schridde2015-09-031-0/+8
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Closes #56
* Fix include path to asn1c for out-of-source buildsDennis Schridde2015-09-031-1/+1
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Closes #55
* Fix bug in handling Session KeysSimo Sorce2015-09-031-1/+1
| | | | | | | | A check inversion in 86661d07812b010b8cf664c2dab596be15ff1e31 caused the specified session key to be ignored and a crash when none was specified. Signed-off-by: Simo Sorce <simo@redhat.com>
* Allow building without NTLMSSP supportSimo Sorce2015-09-033-13/+28
| | | | | | | | | | | | | If gssapi/gssapi_ntlmssp.h is not available simply disable NTLMSSP. Coauthored Signed-off-by: Dennis Schridde <dennis.schridde@uni-heidelberg.de> Signed-off-by: Simo Sorce <simo@redhat.com> Closes #52 Closes #53 Closes #54
* Update and rename README to README.mdJames Groffen2015-09-032-39/+40
| | | | | | | | | Add symlink to .md so the markdown is picked up. Updated styling and fixed a couple of typos. Simo: Changed rename into a symlink. Reworded commit message Reviewed-by: Simo Sorce <simo@redhat.com> Closes #51
* Add test for Proxy SPNEGO authIsaac Boukris2015-09-032-0/+45
| | | | | | | | | | | | | | Add appropairate authorization headers to test with SPNEGO too as discussed in #48 Requires recent version of python-gssapi module, see: https://github.com/pythongssapi/python-gssapi/pull/74 Simo: Squashed original patches in one, removed trailing whitespaces and reworded the commit message. Reviewed-by: Simo Sorce <simo@redhat.com> Closes #49
* Do not use /tmp as default for s4u2proxySimo Sorce2015-08-311-4/+14
| | | | | | | | | | The /tmp directory can lead to bugs and DoS of the apache process because any user on the system can block the creation of predictable file names. Simply error out if GssapiDelegCcacheDir is not explicitly set. Signed-off-by: Simo Sorce <simo@redhat.com>
* Allocate new keys at server startup.Simo Sorce2015-08-304-39/+44
| | | | | | | | This avoids a potential race condition if the first 2 request come in at the same time. It also avoids issues with forked apapche processes which may end up with different keys per fork. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix incorrect free() usageSimo Sorce2015-08-301-5/+1
| | | | | | | | This code has been changed to use apr pools for memory allocation, so the error path is wrong as free() is not called on malloc()ed memory anymore. Remove the calls to free(), the mempool is clean up by callers. Signed-off-by: Simo Sorce <simo@redhat.com>
* More basic-auth testsIsaac Boukris2015-08-062-0/+46
| | | | | | | | Add test for second user on the same connection with the password of the first user and without auth at all. Reviewed-by: Simo Sorce <simo@redhat.com> Closes #48
* Add test for Basic Proxy authenticationIsaac Boukris2015-08-063-1/+52
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Support forward proxy authenticationIsaac Boukris2015-08-062-20/+53
| | | | | | | | Proxy auth headers are a little different. Sessions cannot be used as we cannot set a cookie. Reviewed-by: Simo Sorce <simo@redhat.com>
* Add test for basic auth with two different users over the same connectionIsaac Boukris2015-08-064-5/+55
| | | | | | | Make sure each request is authenticated according to given credentials even when GssapiConnectionBound is set. Reviewed-by: Simo Sorce <simo@redhat.com>
* Avoid advertising NTLM if it isn't technically supportedIsaac Boukris2015-08-061-3/+9
| | | | | | | | | | This lets browsers to fall back to basic auth if supported (similar to 4e7967e797e5c8912a67c0de8f172bb95b5172ff). Add boolean param to is_mech_allowed which denotes whether the caller supports multiple step. Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix checks on allowed mechsSimo Sorce2015-07-071-6/+6
| | | | | | | | | | | | | | We need to check if a mech is allowed against the desired_mechs set. Otherwise in case the admin does not explicitly specify an allowed set then all mechs are allowed, including NTLM. This causes annoying issues with browsers like Firefox and Chrome/ium which end up popping up an authentication dialog if they see NTLM is supported and they have no Kerberos tickets around. Authentication will then simply fail because NTLM is not actually supported. By using desired_mechs we use a list of mechanism the machine actually has a chance to support in the default case. Signed-off-by: Simo Sorce <simo@redhat.com>
* Add basic auth testSimo Sorce2015-07-043-2/+52
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Add test target in MakefileSimo Sorce2015-07-041-0/+3
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* US Independence day release - 1.3.0Simo Sorce2015-07-042-2/+5
| | | | | | Let's celebrate with a new releae which is long overdue. Signed-off-by: Simo Sorce <simo@redhat.com>
* Retrieve default mechs at server initIsaac Boukris2015-06-252-34/+43
| | | | | | | | | | This avoids the need to retrieve the list on every auth attempt, and then free it every time. Implemented by adding a server config struct and populating it at server init with gss_indicate_mechs(). Reviewed-by: Simo Sorce <simo@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-25 23:14:12 +0000