| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
This resolves an issue where the session cookie would not be populated
when sesions were used but unique ccaches were not.
Based on a report from Bhagavan Das.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #98
|
| |
|
|
|
|
|
|
|
| |
Set the session and cookie expiration to the mod_session SessionMaxAge
expiry time, if it is shorter than the credential lifetime.
Signed-off-by: Matt Rogers <mrogers@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #82
|
| |
|
|
|
|
|
|
|
|
|
| |
Unique ccache names may be requested using the GssapiDelegCcacheUnique
configuration option. This option is off by default. If both unique
ccache names and session use are enabled, then a mechanism for removing
old ccaches must be supplied.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Also-authored-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
In preparation for the next commit.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
If the session is expired, then set established to false to
force re-authentication.
Reviewed-by: Simo Sorce <simo@redhat.com>
Close #57
|
| |
|
|
|
|
|
|
| |
This avoids a potential race condition if the first 2 request come in at the
same time. It also avoids issues with forked apapche processes which may end
up with different keys per fork.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Create a pool just for the mag_conn structure, so that we can clear up
all the memory used when a reset is necessary.
This also fixes a segfault introduced by a previous patch where we mistakenly
zeroed the whole structure including the memory pool pointer, which needs to
be preserved.
Closes #40
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
When the skey is generated on the fly, we will get an empty key on the very
first auth attempt. If that uses basic auth then we'll segfault when trying
to compute the hmac as we pass in a NULL key and immediately dereference it.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
Also fixes a segfault when mc->basic_hash.value is NULL
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
If sessions are enbled store a MAC of the password and use it to check
if the password is the same on follow-up requests. If it is, avoid the
whole gssapi dance and use the session data instead.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If the original context establishment delegated credentials, set
the KRB5CCNAME variable to the proper file name for follow up
connections that uses the session to validate access.
Closes #18
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
This way changes are easier, all is needed is to change the session.asn1
file to add or remove elements, and different session types can also be
supported at the same time.
|
| |
|
|
|
|
|
| |
We need to call APLOG_USE_MODULE() so that the module name is reported
properly in log lines, and per module logging level can be set.
Fixes #6
|
| |
|
|
|
|
|
|
|
| |
Keys (encryption+MAC) can now be stored in apache configuration.
The key must be a base64 encoded blob of original length of 32 bytes
(16 bytes for encryption and 16 for the MAC key)
The format is:
key:<base64 blob>
|
|
|
By setting GssapiUseSessions we enable the module to store a bearer
token with the user and gss names in the client, this way we can allow
clients to perform authentication once but then remain authenticaed
for the duration of the session or until the original credentials expire.
The Secure cookie used to store the token is encrypted using a randomly
generated AES key at process startup. This means multiple apache servers
will not be able to use the same cookie, however the client will reauth
transparently if the cookie cannot be read.
|
