| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #127
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases (e.g. if you want to convey the ccname over AJP) the
request environment variable name "KRB5CCNAME" is not appropriate.
Add the GssapiDelegCcacheEnvVar option that allows the env var name
to be changed.
Fixes: https://github.com/modauthgssapi/mod_auth_gssapi/issues/123
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #124
Closes #123
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Internal redirects are a special case of subrequest - they
have no req->main but req->prev instead, so we should check
for that too in case the request is not initial.
Also, make sure to export MAG environment variables to
subrequests and internal redirects.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reported-by: scopev24
Closes #119
|
| |
|
|
|
|
|
|
|
| |
This allows apache to set permission so that another user in the default
group can access the ccache. Useful when apache passes the request to a
process running under a different user or group id number.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is can be enabled on locations that are authenticated by another module
to obtain a ticket for the user, so that the application gets access to
krb5 credentials and all named attributes for the client.
The service needs to be authorized by the KDC if there is the need to use
credentials for further ticket acquisition by setting the
ok_to_auth_as_delegate flag on the service principal. This will provide a
forwardable ticket that can be used to obtain additional tickets via consrained
delegation (also subkect to KDC access control).
Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Close #92
|
| |
|
|
|
|
|
|
|
|
|
| |
Unique ccache names may be requested using the GssapiDelegCcacheUnique
configuration option. This option is off by default. If both unique
ccache names and session use are enabled, then a mechanism for removing
old ccaches must be supplied.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Also-authored-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If negotiation was attempted but failed do not send a new Negotiate header.
Useful when only one single sign on mechanism is allowed and to avoid
misleading login prompts in some browsers.
Added a test of the GssapiDontReauth option to the test suite.
Also added SPNEGO no auth test.
[SS: reworded and fixed commit subject/comment]
[SS: fixed whitespace errors and 80 column wrappings]
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #65
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This code allows to specify which attributes in a name are interesting
to the application and set them as named environemnt variables.
Optionally the whole set of attributes can be exported in a json
formatted structure.
Signed-off-by: Simo Sorce <simo@redhat.com>
Close #62
Close #63
|
| |
|
|
|
|
| |
In preparation for the next commit.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If gssapi/gssapi_ntlmssp.h is not available simply disable NTLMSSP.
Coauthored
Signed-off-by: Dennis Schridde <dennis.schridde@uni-heidelberg.de>
Signed-off-by: Simo Sorce <simo@redhat.com>
Closes #52
Closes #53
Closes #54
|
| |
|
|
|
|
|
|
| |
This avoids a potential race condition if the first 2 request come in at the
same time. It also avoids issues with forked apapche processes which may end
up with different keys per fork.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
Proxy auth headers are a little different.
Sessions cannot be used as we cannot set a cookie.
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This avoids the need to retrieve the list on every auth attempt,
and then free it every time.
Implemented by adding a server config struct and populating
it at server init with gss_indicate_mechs().
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This option allows to set a different list of mechanisms to use
with Basic Auth (Basic Auth must be explicitly enabled) than the
list of mechs that are allowed with Negotiate or Raw GSSAPI Client
authentication.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Create a pool just for the mag_conn structure, so that we can clear up
all the memory used when a reset is necessary.
This also fixes a segfault introduced by a previous patch where we mistakenly
zeroed the whole structure including the memory pool pointer, which needs to
be preserved.
Closes #40
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
If sessions are enbled store a MAC of the password and use it to check
if the password is the same on follow-up requests. If it is, avoid the
whole gssapi dance and use the session data instead.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If the original context establishment delegated credentials, set
the KRB5CCNAME variable to the proper file name for follow up
connections that uses the session to validate access.
Closes #18
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Some clients may decide to use raw NTLM authentication instead
of wrapping it into a Negotiate (SPNEGO) authentication request.
If the NTLMSSP mechanism is allowed/supported then allow this request
to be processed.
Closes #23
|
| |
|
|
|
| |
This option allows the admin to list the mechanisms that can be used for
authentication. An empty list allows any locally supported mechanisms.
|
| |
|
|
|
|
|
| |
Some more definitions that depend on cred_store functions were
not properly ifdef-ed
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
Controls whether to send the Persistent-Auth header, and sets it only
when necessary/appropriate
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Set a per-thread Credentials Cache Name that will be thrown away once
authentication is done. This handles both an issue with stomping on
ccaches if two authentications happen in concurrent threads, as well
as issues with gss_acquire_cred_with_password() reusing the ccache
without actually performing an AS request.
Fixes #11
|
| |
|
|
| |
Fixes #8
|
| |
|
|
|
|
|
| |
Support either passing Basic Auth Through to another module,
or handling it directly through gss_acquire_cred_with_password()
Fixes #8
|
| |
|
|
|
|
|
|
|
|
| |
SU2Proxy support is enabled when GssapiUseS4U2Proxy is set to On
When S4U2Proxy is enabled GssapiDelegCcacheDir is used to determine
where delegated credentials are stored. The ccache type used is always
of type FILE and is located in the provided directory (defaults to /tmp).
The credentials are stored in a file named after the client credentials
so the directory SHOUL NOT be world writeable if a mutiuser system is
used as ccache file names are predictable.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
By setting GssapiUseSessions we enable the module to store a bearer
token with the user and gss names in the client, this way we can allow
clients to perform authentication once but then remain authenticaed
for the duration of the session or until the original credentials expire.
The Secure cookie used to store the token is encrypted using a randomly
generated AES key at process startup. This means multiple apache servers
will not be able to use the same cookie, however the client will reauth
transparently if the cookie cannot be read.
|
|
|
Move all includes into it and also include config.h which was missing
causing some ifdefed code not to be compiled.
Also address includes conflict between httpd.h and config.h and the
PACKAGE_* variables.
|
