summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Implement unique ccache namesRobbie Harwood2016-05-1810-34/+103
| | | | | | | | | | | Unique ccache names may be requested using the GssapiDelegCcacheUnique configuration option. This option is off by default. If both unique ccache names and session use are enabled, then a mechanism for removing old ccaches must be supplied. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Also-authored-by: Petr Vobornik <pvoborni@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Unify copyright conventionRobbie Harwood2016-05-189-30/+9
| | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* GSS-Proxy configuration file for mod_auth_gssapiRobbie Harwood2016-05-181-0/+6
| | | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #81
* Fix APXS error "cannot determine bootstrap symbol name"Dennis Schridde2016-04-121-1/+1
| | | | | | | | | | | | | | | Maybe related to out-of-source builds? ``` test -d /target/usr/lib/apache2/modules || mkdir -p /target/usr/lib/apache2/modules /usr/bin/apxs2 -i -S LIBEXECDIR=/target/usr/lib/apache2/modules mod_auth_gssapi.la apxs:Error: Sorry, cannot determine bootstrap symbol name. apxs:Error: Please specify one with option `-n'. Makefile:725: recipe for target 'install-exec-local' failed ``` Reviewed-by: Simo Sorce <simo@redhat.com> Close #79
* Respect DESTDIR when installing Apache moduleDennis Schridde2016-04-121-2/+2
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Close #78
* Tests: use urandom instead of randomIsaac Boukris2016-04-121-1/+1
| | | | | | | Useful when running tests on VM with low entropy Reviewed-by: Simo Sorce <simo@redhat.com> Closexs #77
* Release 1.3.2 - NEAR Shoemaker launchSimo Sorce2016-02-222-2/+5
| | | | | | | On February 17th, 1996 the NEAR Shoemaker probe is launched. The first probe to soft-land on a Near Earth Asteroid (Eros). Signed-off-by: Simo Sorce <simo@redhat.com>
* Cleanup s4u2proxy in mag_auth_basicIsaac Boukris2016-02-172-18/+7
| | | | | | | | | | | | | | It doesn't have any effect since we set GSS_C_DELEG_FLAG when we initiate client credentials so we always get delegated TGT regardless of constrained delegation. This commit is not intended to change the current behaviour. See #70 Reviewed-by: Simo Sorce <simo@redhat.com> Closes #70 Closes #72
* Add option to not send a Negotiate headersJames Groffen2016-02-177-5/+152
| | | | | | | | | | | | | | | | If negotiation was attempted but failed do not send a new Negotiate header. Useful when only one single sign on mechanism is allowed and to avoid misleading login prompts in some browsers. Added a test of the GssapiDontReauth option to the test suite. Also added SPNEGO no auth test. [SS: reworded and fixed commit subject/comment] [SS: fixed whitespace errors and 80 column wrappings] Reviewed-by: Simo Sorce <simo@redhat.com> Close #65
* Corrected two typos in the README file.James Groffen2016-02-171-2/+2
| | | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Close #71
* Minor formatting changes to the README.James Groffen2016-02-031-7/+7
| | | | | | | | [Changes to original commit: removed trailing whitespace] Reviewed-by: Simo Sorce <simo@redhat.com> Closes #67
* Fix potential loop when requesting attribute data.Simo Sorce2016-01-141-1/+1
| | | | | | | | | | If this function fail we are better off abandoning the whole quest, continueing here may end us up in an infinite loop where the fucntion keeps failing w/o changing attr.more Thanks to Alejandro Perez for finding this flaw. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix build when cred store is not available.Simo Sorce2016-01-132-0/+4
| | | | | | Older distributions have versions of Kerberos that miss this feature. Signed-off-by: Simo Sorce <simo@redhat.com>
* Prevent potential null pointer dereferenceJames Groffen2016-01-111-0/+4
| | | | | | | | | | | This commit adds checks to ensure cfg->name_attributes is not null before it is used in mag_get_name_attributes. (Reworded commit message) Reviewed-by: Simo Sorce <simo@redhat.com> Close #64
* Add code to set attribute names in the environmentname_attrsSimo Sorce2015-12-035-3/+362
| | | | | | | | | | | | This code allows to specify which attributes in a name are interesting to the application and set them as named environemnt variables. Optionally the whole set of attributes can be exported in a json formatted structure. Signed-off-by: Simo Sorce <simo@redhat.com> Close #62 Close #63
* Move setting request data to a separate fileSimo Sorce2015-12-026-90/+94
| | | | | | In preparation for the next commit. Signed-off-by: Simo Sorce <simo@redhat.com>
* Negate established flag if session is expired.davisd1232015-10-051-0/+1
| | | | | | | | If the session is expired, then set established to false to force re-authentication. Reviewed-by: Simo Sorce <simo@redhat.com> Close #57
* Release 1.3.1 - Viking 2 landingSimo Sorce2015-09-032-2/+5
| | | | | | | On September 3rd, 1976 the Viking 2 lander separates from the orbiter and lands at Utopia Planitia on Mars... Signed-off-by: Simo Sorce <simo@redhat.com>
* Mention test dependencies in READMEDennis Schridde2015-09-031-0/+8
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Closes #56
* Fix include path to asn1c for out-of-source buildsDennis Schridde2015-09-031-1/+1
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Closes #55
* Fix bug in handling Session KeysSimo Sorce2015-09-031-1/+1
| | | | | | | | A check inversion in 86661d07812b010b8cf664c2dab596be15ff1e31 caused the specified session key to be ignored and a crash when none was specified. Signed-off-by: Simo Sorce <simo@redhat.com>
* Allow building without NTLMSSP supportSimo Sorce2015-09-033-13/+28
| | | | | | | | | | | | | If gssapi/gssapi_ntlmssp.h is not available simply disable NTLMSSP. Coauthored Signed-off-by: Dennis Schridde <dennis.schridde@uni-heidelberg.de> Signed-off-by: Simo Sorce <simo@redhat.com> Closes #52 Closes #53 Closes #54
* Update and rename README to README.mdJames Groffen2015-09-032-39/+40
| | | | | | | | | Add symlink to .md so the markdown is picked up. Updated styling and fixed a couple of typos. Simo: Changed rename into a symlink. Reworded commit message Reviewed-by: Simo Sorce <simo@redhat.com> Closes #51
* Add test for Proxy SPNEGO authIsaac Boukris2015-09-032-0/+45
| | | | | | | | | | | | | | Add appropairate authorization headers to test with SPNEGO too as discussed in #48 Requires recent version of python-gssapi module, see: https://github.com/pythongssapi/python-gssapi/pull/74 Simo: Squashed original patches in one, removed trailing whitespaces and reworded the commit message. Reviewed-by: Simo Sorce <simo@redhat.com> Closes #49
* Do not use /tmp as default for s4u2proxySimo Sorce2015-08-311-4/+14
| | | | | | | | | | The /tmp directory can lead to bugs and DoS of the apache process because any user on the system can block the creation of predictable file names. Simply error out if GssapiDelegCcacheDir is not explicitly set. Signed-off-by: Simo Sorce <simo@redhat.com>
* Allocate new keys at server startup.Simo Sorce2015-08-304-39/+44
| | | | | | | | This avoids a potential race condition if the first 2 request come in at the same time. It also avoids issues with forked apapche processes which may end up with different keys per fork. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix incorrect free() usageSimo Sorce2015-08-301-5/+1
| | | | | | | | This code has been changed to use apr pools for memory allocation, so the error path is wrong as free() is not called on malloc()ed memory anymore. Remove the calls to free(), the mempool is clean up by callers. Signed-off-by: Simo Sorce <simo@redhat.com>
* More basic-auth testsIsaac Boukris2015-08-062-0/+46
| | | | | | | | Add test for second user on the same connection with the password of the first user and without auth at all. Reviewed-by: Simo Sorce <simo@redhat.com> Closes #48
* Add test for Basic Proxy authenticationIsaac Boukris2015-08-063-1/+52
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Support forward proxy authenticationIsaac Boukris2015-08-062-20/+53
| | | | | | | | Proxy auth headers are a little different. Sessions cannot be used as we cannot set a cookie. Reviewed-by: Simo Sorce <simo@redhat.com>
* Add test for basic auth with two different users over the same connectionIsaac Boukris2015-08-064-5/+55
| | | | | | | Make sure each request is authenticated according to given credentials even when GssapiConnectionBound is set. Reviewed-by: Simo Sorce <simo@redhat.com>
* Avoid advertising NTLM if it isn't technically supportedIsaac Boukris2015-08-061-3/+9
| | | | | | | | | | This lets browsers to fall back to basic auth if supported (similar to 4e7967e797e5c8912a67c0de8f172bb95b5172ff). Add boolean param to is_mech_allowed which denotes whether the caller supports multiple step. Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix checks on allowed mechsSimo Sorce2015-07-071-6/+6
| | | | | | | | | | | | | | We need to check if a mech is allowed against the desired_mechs set. Otherwise in case the admin does not explicitly specify an allowed set then all mechs are allowed, including NTLM. This causes annoying issues with browsers like Firefox and Chrome/ium which end up popping up an authentication dialog if they see NTLM is supported and they have no Kerberos tickets around. Authentication will then simply fail because NTLM is not actually supported. By using desired_mechs we use a list of mechanism the machine actually has a chance to support in the default case. Signed-off-by: Simo Sorce <simo@redhat.com>
* Add basic auth testSimo Sorce2015-07-043-2/+52
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Add test target in MakefileSimo Sorce2015-07-041-0/+3
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* US Independence day release - 1.3.0Simo Sorce2015-07-042-2/+5
| | | | | | Let's celebrate with a new releae which is long overdue. Signed-off-by: Simo Sorce <simo@redhat.com>
* Retrieve default mechs at server initIsaac Boukris2015-06-252-34/+43
| | | | | | | | | | This avoids the need to retrieve the list on every auth attempt, and then free it every time. Implemented by adding a server config struct and populating it at server init with gss_indicate_mechs(). Reviewed-by: Simo Sorce <simo@redhat.com>
* Properly check return error when filtering mechsSimo Sorce2015-06-241-1/+4
| | | | | | | We need to fail only if the input was an actual set and instead we get back GSS_C_NO_OID_SET. In all other cases we are fine. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fail server startup on bad mechanismsIsaac Boukris2015-06-241-6/+10
| | | | | | | This helps to detect mis-configurations early. Configuration errors are considered fatal in apache anyway. Reviewed-by: Simo Sorce <simo@redhat.com>
* Skip spnego filtering since we already filter itIsaac Boukris2015-06-231-6/+0
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Acquire server creds with given cred_usage rather than bothIsaac Boukris2015-06-231-1/+1
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Add initial test frameworkSimo Sorce2015-06-224-0/+446
| | | | | | | | Requires various python packages nd the cwrap project's scoket_wrapper and nss_wrapper tools, as well as the krb5kdc and the httpd server and related modules (like mod_session). Signed-off-by: Simo Sorce <simo@redhat.com>
* Support allowing arbitrary mechanismsSimo Sorce2015-06-221-21/+50
| | | | | | | | | Use gss_str_to_oid so OIDs can be used to set arbitrary mechanism in allow lists like GssapiAllowedMech or GssapiBasicAuthMech. Closes #46 Signed-off-by: Simo Sorce <simo@redhat.com>
* Acquire creds only once for basic_authSimo Sorce2015-06-221-25/+26
| | | | | | | | | | Instead of acquiring creds by looping at each round, use gss_inquire_cred_by_mech() to work around the union_name issue and get the correct per-mechanism server name. Closes #45 Signed-off-by: Simo Sorce <simo@redhat.com>
* Set krb5 ccache only if krb5 is usedSimo Sorce2015-06-211-19/+37
| | | | | | | Check if the krb5 mechanism is present and only then set the cache, this avoid wasteful operations if we are not even using krb5. Signed-off-by: Simo Sorce <simo@redhat.com>
* Add GssapiBasicAuthMech optionSimo Sorce2015-06-203-22/+157
| | | | | | | | | This option allows to set a different list of mechanisms to use with Basic Auth (Basic Auth must be explicitly enabled) than the list of mechs that are allowed with Negotiate or Raw GSSAPI Client authentication. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix Basic Auth with non-krb5 mechanismsSimo Sorce2015-06-191-55/+85
| | | | | | | | | | | Try each allowed mechanism explicitly in a loop including sourcing the server name per mechanism to insure the proper name type is used in the accept. Otherwise secondary mechanims will fail to work. Fixes #43 Signed-off-by: Simo Sorce <simo@redhat.com>
* Better handling of desired_mechsSimo Sorce2015-06-191-7/+12
| | | | | | | | | | | | | | | If no explicit allowed mechanism is set in configuration just ask GSSAPI for a list of known mechanisms and use that. Do not try to artificially acquire credentials as ultimatily all that does is just call gss_inidicate_mechs() internally. Do not store the result of gss_inidicate_mechs() on cfg->allowed_mechs as that would lead to a leak given that cfg->allowed_mechs is allocated on a memory pool, while gss_inidate_mechs()s results are not. Closes #44 Signed-off-by: Simo Sorce <simo@redhat.com>
* Enforce GssapiAllowedMech over raw gssapi mechsIsaac Boukris2015-06-191-0/+9
| | | | | | Implemented by aqcuiring creds only for allowed_mechs and by explicity adding spnego to the allowed_mechs set (while still restricting spengo only to the allowed mechanism as before).
* Always require authentication with basic authSimo Sorce2015-06-161-1/+3
| | | | | | | | | | | | When connection bound authentication is used, we must deny access if basci auth is used and a request does not have the basic auth header. Basic auth authenticate each and every request, so if it is missing this means such request is no more authenticated and we should not allow access based on our cached metadata in this case. Closes #41 Signed-off-by: Simo Sorce <simo@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-26 13:32:35 +0000