| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #127
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases (e.g. if you want to convey the ccname over AJP) the
request environment variable name "KRB5CCNAME" is not appropriate.
Add the GssapiDelegCcacheEnvVar option that allows the env var name
to be changed.
Fixes: https://github.com/modauthgssapi/mod_auth_gssapi/issues/123
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #124
Closes #123
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Internal redirects are a special case of subrequest - they
have no req->main but req->prev instead, so we should check
for that too in case the request is not initial.
Also, make sure to export MAG environment variables to
subrequests and internal redirects.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reported-by: scopev24
Closes #119
|
| |
|
|
|
|
|
|
|
|
| |
With the new 'file:' sytnax a session key can be automatically generated
the first time mod_auth_gssapi runs and stored on the filesystem.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Closes #117
|
| |
|
|
|
|
|
|
|
| |
broken ccache name when "GssapiDelegCcacheUnique Off" (default)
Signed-off-by: Marcel Ritter <ritter.marcel@googlemail.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #116
Fixes #115
|
| |
|
|
|
|
|
|
|
| |
This allows apache to set permission so that another user in the default
group can access the ccache. Useful when apache passes the request to a
process running under a different user or group id number.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases, like internal redirects, authentication is completed but our
'Persistent-Auth' header is dropped by the server because headers_out is ignored
with errors (4xx, 5xx) and internal redirects.
See: https://ci.apache.org/projects/httpd/trunk/doxygen/structrequest__rec.html#a9f49c2d5680987c0c28466ea37d41a62
This fixes #110
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Isaac Boukris <iboukris@gmail.com>
Closes #111
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Fixes #106
Closes #107
|
| |
|
|
|
|
|
|
| |
This work simplifies the calling code and reduces duplication.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Reviewed-by: Isaac Boukris <iboukris@gmail.com>
Close #94
|
| |
|
|
|
|
|
|
|
|
|
| |
Add the SPNEGO mech oid only if we are performing negotiate auth.
This cacthes earlier, with a hard failure, the case where a mechanism defined
on the command line is not available, by checking if there are any desired
mechs.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Isaac Boukris <iboukris@gmail.com>
Close #93
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is can be enabled on locations that are authenticated by another module
to obtain a ticket for the user, so that the application gets access to
krb5 credentials and all named attributes for the client.
The service needs to be authorized by the KDC if there is the need to use
credentials for further ticket acquisition by setting the
ok_to_auth_as_delegate flag on the service principal. This will provide a
forwardable ticket that can be used to obtain additional tickets via consrained
delegation (also subkect to KDC access control).
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Close #92
|
| |
|
|
|
|
|
|
|
| |
This will be used in a following patch that perform gssapi operations
using a different path but need to perform the same bookj keeping as the
main auth path.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com>
|
| |
|
|
|
|
|
|
| |
On Apache 2.4 this method is deprecated, use the recommended hook.
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #84
|
| |
|
|
|
|
|
|
|
|
|
| |
Unique ccache names may be requested using the GssapiDelegCcacheUnique
configuration option. This option is off by default. If both unique
ccache names and session use are enabled, then a mechanism for removing
old ccaches must be supplied.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Also-authored-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It doesn't have any effect since we set GSS_C_DELEG_FLAG
when we initiate client credentials so we always get
delegated TGT regardless of constrained delegation.
This commit is not intended to change the current behaviour.
See #70
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #70
Closes #72
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If negotiation was attempted but failed do not send a new Negotiate header.
Useful when only one single sign on mechanism is allowed and to avoid
misleading login prompts in some browsers.
Added a test of the GssapiDontReauth option to the test suite.
Also added SPNEGO no auth test.
[SS: reworded and fixed commit subject/comment]
[SS: fixed whitespace errors and 80 column wrappings]
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #65
|
| |
|
|
|
|
| |
Older distributions have versions of Kerberos that miss this feature.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This code allows to specify which attributes in a name are interesting
to the application and set them as named environemnt variables.
Optionally the whole set of attributes can be exported in a json
formatted structure.
Signed-off-by: Simo Sorce <simo@redhat.com>
Close #62
Close #63
|
| |
|
|
|
|
| |
In preparation for the next commit.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
A check inversion in 86661d07812b010b8cf664c2dab596be15ff1e31 caused
the specified session key to be ignored and a crash when none was
specified.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If gssapi/gssapi_ntlmssp.h is not available simply disable NTLMSSP.
Coauthored
Signed-off-by: Dennis Schridde <dennis.schridde@uni-heidelberg.de>
Signed-off-by: Simo Sorce <simo@redhat.com>
Closes #52
Closes #53
Closes #54
|
| |
|
|
|
|
|
|
|
|
| |
The /tmp directory can lead to bugs and DoS of the apache process
because any user on the system can block the creation of predictable
file names.
Simply error out if GssapiDelegCcacheDir is not explicitly set.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
This avoids a potential race condition if the first 2 request come in at the
same time. It also avoids issues with forked apapche processes which may end
up with different keys per fork.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
Proxy auth headers are a little different.
Sessions cannot be used as we cannot set a cookie.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This lets browsers to fall back to basic auth if supported
(similar to 4e7967e797e5c8912a67c0de8f172bb95b5172ff).
Add boolean param to is_mech_allowed which denotes whether
the caller supports multiple step.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to check if a mech is allowed against the desired_mechs set.
Otherwise in case the admin does not explicitly specify an allowed set
then all mechs are allowed, including NTLM. This causes annoying issues
with browsers like Firefox and Chrome/ium which end up popping up an
authentication dialog if they see NTLM is supported and they have no
Kerberos tickets around.
Authentication will then simply fail because NTLM is not actually supported.
By using desired_mechs we use a list of mechanism the machine actually
has a chance to support in the default case.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This avoids the need to retrieve the list on every auth attempt,
and then free it every time.
Implemented by adding a server config struct and populating
it at server init with gss_indicate_mechs().
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
We need to fail only if the input was an actual set and instead we
get back GSS_C_NO_OID_SET. In all other cases we are fine.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
This helps to detect mis-configurations early.
Configuration errors are considered fatal in apache anyway.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Use gss_str_to_oid so OIDs can be used to set arbitrary mechanism in
allow lists like GssapiAllowedMech or GssapiBasicAuthMech.
Closes #46
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Instead of acquiring creds by looping at each round, use
gss_inquire_cred_by_mech() to work around the union_name issue and
get the correct per-mechanism server name.
Closes #45
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
Check if the krb5 mechanism is present and only then set the cache, this
avoid wasteful operations if we are not even using krb5.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This option allows to set a different list of mechanisms to use
with Basic Auth (Basic Auth must be explicitly enabled) than the
list of mechs that are allowed with Negotiate or Raw GSSAPI Client
authentication.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Try each allowed mechanism explicitly in a loop including sourcing
the server name per mechanism to insure the proper name type is
used in the accept.
Otherwise secondary mechanims will fail to work.
Fixes #43
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If no explicit allowed mechanism is set in configuration just ask
GSSAPI for a list of known mechanisms and use that. Do not try to
artificially acquire credentials as ultimatily all that does is
just call gss_inidicate_mechs() internally.
Do not store the result of gss_inidicate_mechs() on cfg->allowed_mechs
as that would lead to a leak given that cfg->allowed_mechs is allocated
on a memory pool, while gss_inidate_mechs()s results are not.
Closes #44
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
Implemented by aqcuiring creds only for allowed_mechs and by
explicity adding spnego to the allowed_mechs set (while still
restricting spengo only to the allowed mechanism as before).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When connection bound authentication is used, we must deny access if
basci auth is used and a request does not have the basic auth header.
Basic auth authenticate each and every request, so if it is missing
this means such request is no more authenticated and we should not
allow access based on our cached metadata in this case.
Closes #41
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Consolidate and simplify AUTH BASIC Handling - Part 3.
By moving all the special operation one for auth basic into its own
segment we make the code simpler (less exceptions) and more readable.
Closes #39
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Consolidate and simplify AUTH BASIC Handling - Part 2.
By moving all the special operation one for auth basic into its own
segment we make the code simpler (less exceptions) and more readable.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Consolidate and simplify AUTH BASIC Handling - Part 1.
By moving all the special operation one for auth basic into its own
segment we make the code simpler (less exceptions) and more readable.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Create a pool just for the mag_conn structure, so that we can clear up
all the memory used when a reset is necessary.
This also fixes a segfault introduced by a previous patch where we mistakenly
zeroed the whole structure including the memory pool pointer, which needs to
be preserved.
Closes #40
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When re-using a context on a connection, a re-authentication request
may end up trying to use an established context handler to establish
a new context. This will fail with an error in GSSAPI.
Make sure to completely clean up the connection data when a brand
new authentication needs to happen so that no data is mistakenly
carried over.
Note this may leak a small amount of data, but only if authentication is
successful, so it is probably fine as is.
Closes #38
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
A previous commit mistakenly removed the jump to the end with a successful
error.
Example scenario that is fixed with this patch:
$ curl -v -u usera:passa http://myhost/ http://myhost/ --ntlm
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
Instead of using apr_pool_userdata_set() since we don't use apr_pool_userdata_get() with the mag_conn_ptr apr_pool_cleanup_register() seem cleaner.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
And some other cleanup adjusments.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Except for BASIC AUTH, if a client send an authorization header it
means it wants to re-check authentication.
So, if an authorization header is sent, go through the regular
path and do not set request variables based on the session data.
In case of Basic Auth we still use session data if user/pwd match
the stored hash.
Closes #22
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
mag_attempt_session() was being called too early.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
