| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
Also fixes a segfault when mc->basic_hash.value is NULL
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
If sessions are enbled store a MAC of the password and use it to check
if the password is the same on follow-up requests. If it is, avoid the
whole gssapi dance and use the session data instead.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If the original context establishment delegated credentials, set
the KRB5CCNAME variable to the proper file name for follow up
connections that uses the session to validate access.
Closes #18
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
This way changes are easier, all is needed is to change the session.asn1
file to add or remove elements, and different session types can also be
supported at the same time.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Clients don't expect this and therefore might inappropriately reuse the
connection for another user identity (with or without creds).
This is currently more of an issue due to issue 22, example:
curl -v http://myhost/ -u usera:passa --next http://myhost/ -u userb:passb
Closes #36
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
Seen in the wild.
Closes #35
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Some clients may decide to use raw NTLM authentication instead
of wrapping it into a Negotiate (SPNEGO) authentication request.
If the NTLMSSP mechanism is allowed/supported then allow this request
to be processed.
Closes #23
|
| |
|
|
|
| |
This option allows the admin to list the mechanisms that can be used for
authentication. An empty list allows any locally supported mechanisms.
|
| |
|
|
|
|
|
| |
This makes the code more readable and easier to deal with.
Side effect: now we always acquire credentials
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
Some more definitions that depend on cred_store functions were
not properly ifdef-ed
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
This function is supported only on some GSSAPI versions.
Keep it optional.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
When S4U2Proxy is used in combination with Basic Auth, the gss_inquire_cred()
call will return the client name instead of the server name we need.
Detect this case and aquire a separate set of credentials in that case.
Fixes #28
|
| |
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The only entry point into the module DSO is the module structure itself;
use libtool's export-symbols linker trick to hide all the other global
symbols, which otherwise are potentially visible outside the module
itself (SEAL_* etc).
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
This directive is deprecated and has no effect in all httpd 2.x releases.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
In httpd/APR it is best practice to assume that memory allocation always
succeeds, which simplifies module code.
APR internally calls abort() if memory allocation ever actually fails,
so in pratice you cannot trigger these code paths anyway.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
Controls whether to send the Persistent-Auth header, and sets it only
when necessary/appropriate
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Closes #16
|
| |
|
|
|
|
|
|
|
|
|
| |
This reverts commit e9c92795d87a316ea47f6bf37c9636e86eec57e7.
AESGCM is a neat idea but it is not really appropriate to be used in
mod_auth_gssapi because we cannot gurantee that the nonce will never be
reused. It is not very probable, and it is also not easy to force the
server to generate so many encyrpted sessions to have a good chance of
a collision that I know of, but better to avoid the whole issue, than
risk unforseen cases where it may happen.
|
| | |
|
| |
|
|
|
|
|
| |
On success do not forget to send the last negotiate packet (if any)
to the client within the 200 Reply.
Fixes #21
|
| |
|
|
|
|
|
|
| |
When doing fallback basic auth, we may also want to honor the
configured directive about storing delegated credentials.
Detect if we are configured to store them and set the appopriate
init_sec_context flag that will cause the accept_sec_context call
to get valid delegated credentials for later storage.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases (like during directory listing) Apache will re-run the
authentication code. Many GSSAPI mechanism have replay detection so
we cannot simply rerun the accept_sec_context phase. Others require
multiple steps. When authntication has already been estalished just
implicitly consider the authentication successfully performed and
copy the user name. Otherwise fail.
If a subrequest hits a location with a different mod_auth_gssapi
configuration warn but do not error off right away.
Fixes #15
|
| |
|
|
|
|
|
|
| |
The principla name is used as a file name, any embedded path separators
are going to cause trouble if used in the file name, so we need to escape
them away. Usee ~ as the escape chracter (~~ to escape ~ itself)
Fixes #14
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Also, remove all the manual HMAC code since it is no longer needed.
The end result should be faster and stronger authenticated encryption.
Closes #12
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It realy is const memory referenced internally by MIT's gssapi.
Freeing it will cause a segfault on the next invocation.
This memory is kept in thread local storage and freed by gssapi itself
as needed.
Fixes #11
|
| |
|
|
|
|
|
|
|
|
| |
Set a per-thread Credentials Cache Name that will be thrown away once
authentication is done. This handles both an issue with stomping on
ccaches if two authentications happen in concurrent threads, as well
as issues with gss_acquire_cred_with_password() reusing the ccache
without actually performing an AS request.
Fixes #11
|
| |
|
|
| |
Untested code is broken code :(
|
| |
|
|
|
| |
The apr function is thread safe while the OpenSSL one depdns on setting
up custom locking, which is hard in a library.
|
| |
|
|
|
|
|
| |
Fix GssapiDelegCcacheDir examples and add all the required options to
make GssapiUseS4U2Proxy really work.
Thanks to David Kupka for testing that highlighted these issues.
|
| |
|
|
| |
Fixes #8
|
| |
|
|
|
|
|
| |
Support either passing Basic Auth Through to another module,
or handling it directly through gss_acquire_cred_with_password()
Fixes #8
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
For some reason all the necessary CFALGS are not returned by simply
querying the CFLAGS from apxs. We also need to query EXTRA_CPPFLAGS
apparently.
|
| |
|
|
|
|
|
| |
We need to call APLOG_USE_MODULE() so that the module name is reported
properly in log lines, and per module logging level can be set.
Fixes #6
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
USe automake directives to directly invoke the apxs favored libtool,
and use APXS only to perform the final install.
Fixes #4
|
| |
|
|
|
|
| |
Drop cflags and libs options that make apxs unhappy
Closes #3
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This allows to always define the keytab in terms of GssapiCredStore
options instead of having to set a KRB5_KTNAME variable.
Fixes Issue 2
|
