summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Use apr function for random bytesbasic_authSimo Sorce2015-03-101-3/+3
| | | | | The apr function is thread safe while the OpenSSL one depdns on setting up custom locking, which is hard in a library.
* Remove forward basic auth and fix docsSimo Sorce2015-03-062-31/+7
| | | | Fixes #8
* Add support for handling Basic AuthSimo Sorce2015-03-052-13/+171
| | | | | | | Support either passing Basic Auth Through to another module, or handling it directly through gss_acquire_cred_with_password() Fixes #8
* Do not leak acquired_credSimo Sorce2015-03-051-0/+1
|
* Replace block size constants with actual block sizeNathaniel McCallum2015-02-031-6/+7
|
* Fix error message copy&paste errorwipSimo Sorce2014-10-211-1/+1
|
* Properly initialize loggingSimo Sorce2014-10-132-0/+4
| | | | | | | We need to call APLOG_USE_MODULE() so that the module name is reported properly in log lines, and per module logging level can be set. Fixes #6
* Attempt to use sessions only when they are enabledSimo Sorce2014-10-131-2/+6
|
* Change the modules build processSimo Sorce2014-09-111-3/+14
| | | | | | | USe automake directives to directly invoke the apxs favored libtool, and use APXS only to perform the final install. Fixes #4
* Include only necessary libs when calling apxsSimo Sorce2014-08-291-1/+1
| | | | | | Drop cflags and libs options that make apxs unhappy Closes #3
* Fix GssapiCredStore usageSimo Sorce2014-08-261-1/+5
| | | | | | | This allows to always define the keytab in terms of GssapiCredStore options instead of having to set a KRB5_KTNAME variable. Fixes Issue 2
* Announce module name and version in the server signatureAlexander Bokovoy2014-08-141-0/+2
|
* GssapiLocalName is about translating principals to local usernamesAlexander Bokovoy2014-08-141-1/+1
| | | | Fix wrong description
* Suppress -Werror=format-security errorsSimo Sorce2014-08-121-5/+5
|
* Quick and dirty fix for make distSimo Sorce2014-08-111-0/+2
|
* Add S4U2Proxy supports4u2proxySimo Sorce2014-07-202-21/+127
| | | | | | | | | | SU2Proxy support is enabled when GssapiUseS4U2Proxy is set to On When S4U2Proxy is enabled GssapiDelegCcacheDir is used to determine where delegated credentials are stored. The ccache type used is always of type FILE and is located in the provided directory (defaults to /tmp). The credentials are stored in a file named after the client credentials so the directory SHOUL NOT be world writeable if a mutiuser system is used as ccache file names are predictable.
* Add permanent session keys supportSimo Sorce2014-07-104-26/+87
| | | | | | | | | Keys (encryption+MAC) can now be stored in apache configuration. The key must be a base64 encoded blob of original length of 32 bytes (16 bytes for encryption and 16 for the MAC key) The format is: key:<base64 blob>
* Add mod_session supportSimo Sorce2014-07-107-23/+493
| | | | | | | | | | | | By setting GssapiUseSessions we enable the module to store a bearer token with the user and gss names in the client, this way we can allow clients to perform authentication once but then remain authenticaed for the duration of the session or until the original credentials expire. The Secure cookie used to store the token is encrypted using a randomly generated AES key at process startup. This means multiple apache servers will not be able to use the same cookie, however the client will reauth transparently if the cookie cannot be read.
* Add mod_auth_gssapi.hSimo Sorce2014-07-102-20/+34
| | | | | | | Move all includes into it and also include config.h which was missing causing some ifdefed code not to be compiled. Also address includes conflict between httpd.h and config.h and the PACKAGE_* variables.
* Fix typoSimo Sorce2014-04-241-1/+1
|
* Use more readable configuration option names.Simo Sorce2014-04-211-9/+9
|
* Simplify configure.ac and makefile.am filesSimo Sorce2014-04-151-21/+5
| | | | Remove unnecessary cruft, that was only making things harder to read.
* Set context data on the pool with a destructorSimo Sorce2014-04-151-7/+20
| | | | | | This way the context is available for the duration of the connection. It is also properly freed if the connection is interrupted before the context is fully established.
* Fix use after freeSimo Sorce2014-04-121-8/+19
| | | | | On errors mc->ctx would be left pointing at the freed context, make sure it is cleared if we delete the context.
* Fix base64 encoding of tokensSimo Sorce2014-04-121-1/+0
| | | | | | | | The token was being trunkated as the total length should have been: replen + 10 Just remove this line, apr_base64_encode() already properly terminate the buffer.
* Register optional functionsSimo Sorce2014-04-121-2/+13
|
* Implement checking for TLS connectionsSimo Sorce2014-03-131-2/+18
| | | | Obey the GSSSSLOnly setting.
* Allow context to be attached to the connectionSimo Sorce2014-03-091-18/+83
| | | | | | | | | | | This means the authentication is not repeated for every request but is retained for the life of the connection. This may be a security issue if a frontend proxy shares connections between multiple users so must be used with care. RFC 4559 warns that clients should not try SPNEGO if such a proxy is present. Unfortuntely the RFC assumes a non-standard method to determine if a proxy maintain separate connections.
* Fix module nameSimo Sorce2014-03-091-2/+2
| | | | | | The module structure name used throughout the code didn't match the name of the initialized structure, so the one used was always uninitialized.
* Add option to map GSS Name to local NameSimo Sorce2014-03-081-2/+31
| | | | | | | Always preserves the received name in GSS_NAME. In the kereberos case this will result in the environment variable called GSS_NAME the user's principal, while REMOTE_USER will contain the user name as mapped by the kerberos library.
* Use the cred_store extension to save credentialsSimo Sorce2014-03-081-6/+54
|
* Fix warningsSimo Sorce2014-02-151-2/+5
|
* Add initial configure scriptsSimo Sorce2014-02-151-0/+25
|
* Initial codeSimo Sorce2014-02-151-0/+224
Signed-off-by: Simo Sorce <simo@redhat.com>