summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Add cleanup function for mag_conn->name_attributesHEADmasterAlejandro Perez2017-02-133-2/+11
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Closes #127
* JSON strings need to be escaped (i.e. replace " with \")Alejandro Perez2017-02-091-2/+33
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Closes #125
* Add option to set alternative ccname env varFraser Tweedale2017-02-083-4/+9
| | | | | | | | | | | | | In some cases (e.g. if you want to convey the ccname over AJP) the request environment variable name "KRB5CCNAME" is not appropriate. Add the GssapiDelegCcacheEnvVar option that allows the env var name to be changed. Fixes: https://github.com/modauthgssapi/mod_auth_gssapi/issues/123 Reviewed-by: Simo Sorce <simo@redhat.com> Closes #124 Closes #123
* rewrite: implicitly handle internal redirectsIsaac Boukris2017-01-114-16/+61
| | | | | | | | | | | | | | Internal redirects are a special case of subrequest - they have no req->main but req->prev instead, so we should check for that too in case the request is not initial. Also, make sure to export MAG environment variables to subrequests and internal redirects. Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reported-by: scopev24 Closes #119
* Add option to store the session encryption key.Simo Sorce2017-01-031-14/+85
| | | | | | | | | | With the new 'file:' sytnax a session key can be automatically generated the first time mod_auth_gssapi runs and stored on the filesystem. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com> Closes #117
* Fix memory pool used to hold ccache nameMarcel Ritter2016-12-191-1/+1
| | | | | | | | | broken ccache name when "GssapiDelegCcacheUnique Off" (default) Signed-off-by: Marcel Ritter <ritter.marcel@googlemail.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #116 Fixes #115
* Add option to set custom permissions on ccacheSimo Sorce2016-11-303-7/+123
| | | | | | | | | This allows apache to set permission so that another user in the default group can access the ccache. Useful when apache passes the request to a process running under a different user or group id number. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com>
* Write 'Persistent-Auth' header to err_headers_outMichael Osipov2016-10-111-1/+1
| | | | | | | | | | | | | | In some cases, like internal redirects, authentication is completed but our 'Persistent-Auth' header is dropped by the server because headers_out is ignored with errors (4xx, 5xx) and internal redirects. See: https://ci.apache.org/projects/httpd/trunk/doxygen/structrequest__rec.html#a9f49c2d5680987c0c28466ea37d41a62 This fixes #110 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Closes #111
* Declare mag_complete outside the ifdef blockSimo Sorce2016-10-111-4/+4
| | | | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Reviewed-by: Robbie Harwood <rharwood@redhat.com> Fixes #106 Closes #107
* Fix behavior of NULL ccname for cookie creationRobbie Harwood2016-08-151-1/+6
| | | | | | | | | | | This resolves an issue where the session cookie would not be populated when sesions were used but unique ccaches were not. Based on a report from Bhagavan Das. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #98
* Add compatibility with OpenSSL 1.1.0Simo Sorce2016-07-061-31/+76
| | | | | | | | | In their continued wisdom OpenSSL developers keep breaking APIs left and right with very poor documentation and forward/backward source compatibility. Signed-off-by: Simo Sorce <simo@redhat.com> Closes #96 Closes #97
* Insure the asn1 definitions are in the tarballSimo Sorce2016-06-151-0/+2
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Close #95
* Move context loops to a helper functionSimo Sorce2016-06-151-110/+72
| | | | | | | | This work simplifies the calling code and reduces duplication. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Reviewed-by: Isaac Boukris <iboukris@gmail.com> Close #94
* Postpone adding spnego mech to mech listSimo Sorce2016-06-091-23/+65
| | | | | | | | | | | Add the SPNEGO mech oid only if we are performing negotiate auth. This cacthes earlier, with a hard failure, the case where a mechanism defined on the command line is not available, by checking if there are any desired mechs. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Isaac Boukris <iboukris@gmail.com> Close #93
* Add support for GssapiImpersonate.Jan Pazdziora2016-06-092-1/+157
| | | | | | | | | | | | | | | | This is can be enabled on locations that are authenticated by another module to obtain a ticket for the user, so that the application gets access to krb5 credentials and all named attributes for the client. The service needs to be authorized by the KDC if there is the need to use credentials for further ticket acquisition by setting the ok_to_auth_as_delegate flag on the service principal. This will provide a forwardable ticket that can be used to obtain additional tickets via consrained delegation (also subkect to KDC access control). Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com> Close #92
* Split the book keeping operations into a functionSimo Sorce2016-06-091-48/+66
| | | | | | | | | This will be used in a following patch that perform gssapi operations using a different path but need to perform the same bookj keeping as the main auth path. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com>
* Fix cred cache detectionSimo Sorce2016-06-091-3/+6
| | | | | | | | | The stat call was not using the full path name, therefore it was always failing. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com> Close #91
* Fix function name spellingSimo Sorce2016-06-091-2/+2
| | | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jan Pazdziora <jpazdziora@redhat.com> Close #90
* Do not use ap_hook_check_user_id on Apache 2.4Jan Pazdziora2016-06-021-0/+5
| | | | | | | | On Apache 2.4 this method is deprecated, use the recommended hook. Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Close #84
* Obey SessionMaxAge for session expirationMatt Rogers2016-05-251-0/+6
| | | | | | | | | Set the session and cookie expiration to the mod_session SessionMaxAge expiry time, if it is shorter than the credential lifetime. Signed-off-by: Matt Rogers <mrogers@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Closes #82
* Implement unique ccache namesRobbie Harwood2016-05-189-34/+90
| | | | | | | | | | | Unique ccache names may be requested using the GssapiDelegCcacheUnique configuration option. This option is off by default. If both unique ccache names and session use are enabled, then a mechanism for removing old ccaches must be supplied. Signed-off-by: Robbie Harwood <rharwood@redhat.com> Also-authored-by: Petr Vobornik <pvoborni@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Unify copyright conventionRobbie Harwood2016-05-188-30/+8
| | | | | Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix APXS error "cannot determine bootstrap symbol name"Dennis Schridde2016-04-121-1/+1
| | | | | | | | | | | | | | | Maybe related to out-of-source builds? ``` test -d /target/usr/lib/apache2/modules || mkdir -p /target/usr/lib/apache2/modules /usr/bin/apxs2 -i -S LIBEXECDIR=/target/usr/lib/apache2/modules mod_auth_gssapi.la apxs:Error: Sorry, cannot determine bootstrap symbol name. apxs:Error: Please specify one with option `-n'. Makefile:725: recipe for target 'install-exec-local' failed ``` Reviewed-by: Simo Sorce <simo@redhat.com> Close #79
* Respect DESTDIR when installing Apache moduleDennis Schridde2016-04-121-2/+2
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Close #78
* Cleanup s4u2proxy in mag_auth_basicIsaac Boukris2016-02-171-18/+4
| | | | | | | | | | | | | | It doesn't have any effect since we set GSS_C_DELEG_FLAG when we initiate client credentials so we always get delegated TGT regardless of constrained delegation. This commit is not intended to change the current behaviour. See #70 Reviewed-by: Simo Sorce <simo@redhat.com> Closes #70 Closes #72
* Add option to not send a Negotiate headersJames Groffen2016-02-172-5/+23
| | | | | | | | | | | | | | | | If negotiation was attempted but failed do not send a new Negotiate header. Useful when only one single sign on mechanism is allowed and to avoid misleading login prompts in some browsers. Added a test of the GssapiDontReauth option to the test suite. Also added SPNEGO no auth test. [SS: reworded and fixed commit subject/comment] [SS: fixed whitespace errors and 80 column wrappings] Reviewed-by: Simo Sorce <simo@redhat.com> Close #65
* Fix potential loop when requesting attribute data.Simo Sorce2016-01-141-1/+1
| | | | | | | | | | If this function fail we are better off abandoning the whole quest, continueing here may end us up in an infinite loop where the fucntion keeps failing w/o changing attr.more Thanks to Alejandro Perez for finding this flaw. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix build when cred store is not available.Simo Sorce2016-01-132-0/+4
| | | | | | Older distributions have versions of Kerberos that miss this feature. Signed-off-by: Simo Sorce <simo@redhat.com>
* Prevent potential null pointer dereferenceJames Groffen2016-01-111-0/+4
| | | | | | | | | | | This commit adds checks to ensure cfg->name_attributes is not null before it is used in mag_get_name_attributes. (Reworded commit message) Reviewed-by: Simo Sorce <simo@redhat.com> Close #64
* Add code to set attribute names in the environmentname_attrsSimo Sorce2015-12-034-3/+335
| | | | | | | | | | | | This code allows to specify which attributes in a name are interesting to the application and set them as named environemnt variables. Optionally the whole set of attributes can be exported in a json formatted structure. Signed-off-by: Simo Sorce <simo@redhat.com> Close #62 Close #63
* Move setting request data to a separate fileSimo Sorce2015-12-026-90/+94
| | | | | | In preparation for the next commit. Signed-off-by: Simo Sorce <simo@redhat.com>
* Negate established flag if session is expired.davisd1232015-10-051-0/+1
| | | | | | | | If the session is expired, then set established to false to force re-authentication. Reviewed-by: Simo Sorce <simo@redhat.com> Close #57
* Fix include path to asn1c for out-of-source buildsDennis Schridde2015-09-031-1/+1
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Closes #55
* Fix bug in handling Session KeysSimo Sorce2015-09-031-1/+1
| | | | | | | | A check inversion in 86661d07812b010b8cf664c2dab596be15ff1e31 caused the specified session key to be ignored and a crash when none was specified. Signed-off-by: Simo Sorce <simo@redhat.com>
* Allow building without NTLMSSP supportSimo Sorce2015-09-032-13/+27
| | | | | | | | | | | | | If gssapi/gssapi_ntlmssp.h is not available simply disable NTLMSSP. Coauthored Signed-off-by: Dennis Schridde <dennis.schridde@uni-heidelberg.de> Signed-off-by: Simo Sorce <simo@redhat.com> Closes #52 Closes #53 Closes #54
* Do not use /tmp as default for s4u2proxySimo Sorce2015-08-311-4/+14
| | | | | | | | | | The /tmp directory can lead to bugs and DoS of the apache process because any user on the system can block the creation of predictable file names. Simply error out if GssapiDelegCcacheDir is not explicitly set. Signed-off-by: Simo Sorce <simo@redhat.com>
* Allocate new keys at server startup.Simo Sorce2015-08-304-39/+44
| | | | | | | | This avoids a potential race condition if the first 2 request come in at the same time. It also avoids issues with forked apapche processes which may end up with different keys per fork. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix incorrect free() usageSimo Sorce2015-08-301-5/+1
| | | | | | | | This code has been changed to use apr pools for memory allocation, so the error path is wrong as free() is not called on malloc()ed memory anymore. Remove the calls to free(), the mempool is clean up by callers. Signed-off-by: Simo Sorce <simo@redhat.com>
* Support forward proxy authenticationIsaac Boukris2015-08-062-20/+53
| | | | | | | | Proxy auth headers are a little different. Sessions cannot be used as we cannot set a cookie. Reviewed-by: Simo Sorce <simo@redhat.com>
* Avoid advertising NTLM if it isn't technically supportedIsaac Boukris2015-08-061-3/+9
| | | | | | | | | | This lets browsers to fall back to basic auth if supported (similar to 4e7967e797e5c8912a67c0de8f172bb95b5172ff). Add boolean param to is_mech_allowed which denotes whether the caller supports multiple step. Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix checks on allowed mechsSimo Sorce2015-07-071-6/+6
| | | | | | | | | | | | | | We need to check if a mech is allowed against the desired_mechs set. Otherwise in case the admin does not explicitly specify an allowed set then all mechs are allowed, including NTLM. This causes annoying issues with browsers like Firefox and Chrome/ium which end up popping up an authentication dialog if they see NTLM is supported and they have no Kerberos tickets around. Authentication will then simply fail because NTLM is not actually supported. By using desired_mechs we use a list of mechanism the machine actually has a chance to support in the default case. Signed-off-by: Simo Sorce <simo@redhat.com>
* Retrieve default mechs at server initIsaac Boukris2015-06-252-34/+43
| | | | | | | | | | This avoids the need to retrieve the list on every auth attempt, and then free it every time. Implemented by adding a server config struct and populating it at server init with gss_indicate_mechs(). Reviewed-by: Simo Sorce <simo@redhat.com>
* Properly check return error when filtering mechsSimo Sorce2015-06-241-1/+4
| | | | | | | We need to fail only if the input was an actual set and instead we get back GSS_C_NO_OID_SET. In all other cases we are fine. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fail server startup on bad mechanismsIsaac Boukris2015-06-241-6/+10
| | | | | | | This helps to detect mis-configurations early. Configuration errors are considered fatal in apache anyway. Reviewed-by: Simo Sorce <simo@redhat.com>
* Skip spnego filtering since we already filter itIsaac Boukris2015-06-231-6/+0
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Acquire server creds with given cred_usage rather than bothIsaac Boukris2015-06-231-1/+1
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Support allowing arbitrary mechanismsSimo Sorce2015-06-221-21/+50
| | | | | | | | | Use gss_str_to_oid so OIDs can be used to set arbitrary mechanism in allow lists like GssapiAllowedMech or GssapiBasicAuthMech. Closes #46 Signed-off-by: Simo Sorce <simo@redhat.com>
* Acquire creds only once for basic_authSimo Sorce2015-06-221-25/+26
| | | | | | | | | | Instead of acquiring creds by looping at each round, use gss_inquire_cred_by_mech() to work around the union_name issue and get the correct per-mechanism server name. Closes #45 Signed-off-by: Simo Sorce <simo@redhat.com>
* Set krb5 ccache only if krb5 is usedSimo Sorce2015-06-211-19/+37
| | | | | | | Check if the krb5 mechanism is present and only then set the cache, this avoid wasteful operations if we are not even using krb5. Signed-off-by: Simo Sorce <simo@redhat.com>
* Add GssapiBasicAuthMech optionSimo Sorce2015-06-202-22/+144
| | | | | | | | | This option allows to set a different list of mechanisms to use with Basic Auth (Basic Auth must be explicitly enabled) than the list of mechs that are allowed with Negotiate or Raw GSSAPI Client authentication. Signed-off-by: Simo Sorce <simo@redhat.com>
generated by cgit (git 2.34.1) at 2025-07-01 11:45:05 +0000