#ifdef STANDARD20_MODULE_STUFF
#include <ap_compat.h>
#include <apr_strings.h>
+#include <apr_base64.h>
#endif
-
#ifdef KRB5
#include <krb5.h>
#ifdef HEIMDAL
#else
# include <gssapi/gssapi.h>
# include <gssapi/gssapi_generic.h>
+# include <gssapi/gssapi_krb5.h>
# define GSS_C_NT_USER_NAME gss_nt_user_name
# define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
# define krb5_get_err_text(context,code) error_message(code)
#endif /* KRB5 */
#ifdef KRB4
-/*Prevent warning about closesocket redefinition (Apache's ap_config.h and
+/* Prevent warning about closesocket redefinition (Apache's ap_config.h and
* MIT Kerberos' port-sockets.h both define it as close) */
#ifdef closesocket
# undef closesocket
#include <netdb.h> /* gethostbyname() */
#endif /* KRB4 */
+/* XXX remove dependency on unistd.h ??? */
+#include <unistd.h>
+
#ifdef STANDARD20_MODULE_STUFF
module AP_MODULE_DECLARE_DATA auth_kerb_module;
#else
{ NULL }
};
+#if defined(KRB5) && !defined(HEIMDAL)
+/* Needed to work around problems with replay caches */
+#include "mit-internals.h"
+
+/* This is our replacement krb5_rc_store function */
+static krb5_error_code
+mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
+ krb5_donot_replay *donot_replay)
+{
+ return 0;
+}
+
+/* And this is the operations vector for our replay cache */
+const krb5_rc_ops mod_auth_kerb_rc_ops = {
+ 0,
+ "dfl",
+ krb5_rc_dfl_init,
+ krb5_rc_dfl_recover,
+ krb5_rc_dfl_destroy,
+ krb5_rc_dfl_close,
+ mod_auth_kerb_rc_store,
+ krb5_rc_dfl_expunge,
+ krb5_rc_dfl_get_span,
+ krb5_rc_dfl_get_name,
+ krb5_rc_dfl_resolve
+};
+#endif
+
+
/***************************************************************************
Auth Configuration Initialization
***************************************************************************/
/***************************************************************************
Username/Password Validation for Krb5
***************************************************************************/
+
+/* MIT kerberos uses replay cache checks even during credential verification
+ * (i.e. in krb5_verify_init_creds()), which is obviosuly useless. In order to
+ * avoid problems with multiple apache processes accessing the same rcache file
+ * we had to use this call instead, which is only a bit modified version of
+ * krb5_verify_init_creds() */
+static krb5_error_code
+verify_krb5_init_creds(krb5_context context, krb5_creds *creds,
+ krb5_principal ap_req_server, krb5_keytab ap_req_keytab)
+{
+ krb5_error_code ret;
+ krb5_data req;
+ krb5_ccache local_ccache = NULL;
+ krb5_creds *new_creds = NULL;
+ krb5_auth_context auth_context = NULL;
+ krb5_keytab keytab = NULL;
+
+ memset(&req, 0, sizeof(req));
+
+ if (ap_req_keytab == NULL) {
+ ret = krb5_kt_default (context, &keytab);
+ if (ret)
+ return ret;
+ } else
+ keytab = ap_req_keytab;
+
+ ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache);
+ if (ret)
+ return ret;
+
+ ret = krb5_cc_initialize(context, local_ccache, creds->client);
+ if (ret)
+ goto end;
+
+ ret = krb5_cc_store_cred (context, local_ccache, creds);
+ if (ret)
+ goto end;
+
+ if (!krb5_principal_compare (context, ap_req_server, creds->server)) {
+ krb5_creds match_cred;
+
+ memset (&match_cred, 0, sizeof(match_cred));
+
+ match_cred.client = creds->client;
+ match_cred.server = ap_req_server;
+
+ ret = krb5_get_credentials (context, 0, local_ccache,
+ &match_cred, &new_creds);
+ if (ret)
+ goto end;
+ creds = new_creds;
+ }
+
+ ret = krb5_mk_req_extended (context, &auth_context, 0, NULL, creds, &req);
+ if (ret)
+ goto end;
+
+ krb5_auth_con_free (context, auth_context);
+ auth_context = NULL;
+ ret = krb5_auth_con_init(context, &auth_context);
+ if (ret)
+ goto end;
+ /* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */
+ krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+
+ ret = krb5_rd_req (context, &auth_context, &req, ap_req_server,
+ keytab, 0, NULL);
+
+end:
+ krb5_free_data_contents(context, &req);
+ if (auth_context)
+ krb5_auth_con_free (context, auth_context);
+ if (new_creds)
+ krb5_free_creds (context, new_creds);
+ if (ap_req_keytab == NULL && keytab)
+ krb5_kt_close (context, keytab);
+ if (local_ccache)
+ krb5_cc_destroy (context, local_ccache);
+
+ return ret;
+}
+
/* Inspired by krb5_verify_user from Heimdal */
static krb5_error_code
verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
- krb5_ccache ccache, const char *password, const char *service,
- krb5_keytab keytab, int krb_verify_kdc)
+ const char *password, const char *service, krb5_keytab keytab,
+ int krb_verify_kdc, krb5_ccache *ccache)
{
krb5_creds creds;
krb5_principal server = NULL;
krb5_error_code ret;
- krb5_verify_init_creds_opt opt;
+ krb5_ccache ret_ccache = NULL;
/* XXX error messages shouldn't be logged here (and in the while() loop in
* authenticate_user_krb5pwd() as weell), in order to avoid confusing log
}
*/
- krb5_verify_init_creds_opt_init(&opt);
- krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, krb_verify_kdc);
+ if (krb_verify_kdc &&
+ (ret = verify_krb5_init_creds(context, &creds, server, keytab))) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "failed to verify krb5 credentials: %s",
+ krb5_get_err_text(context, ret));
+ goto end;
+ }
+
+ ret = krb5_cc_resolve(context, "MEMORY:", &ret_ccache);
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "generating new memory ccache failed: %s",
+ krb5_get_err_text(kcontext, ret));
+ goto end;
+ }
- ret = krb5_verify_init_creds(context, &creds, server, keytab, NULL, &opt);
+ ret = krb5_cc_initialize(context, ret_ccache, principal);
if (ret) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "krb5_verify_init_creds() failed: %s",
+ "krb5_cc_initialize() failed: %s",
krb5_get_err_text(context, ret));
goto end;
}
-
- if (ccache) {
- ret = krb5_cc_initialize(context, ccache, principal);
- if (ret) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "krb5_cc_initialize() failed: %s",
- krb5_get_err_text(context, ret));
- goto end;
- }
- ret = krb5_cc_store_cred(context, ccache, &creds);
- if (ret) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "krb5_cc_store_cred() failed: %s",
- krb5_get_err_text(context, ret));
- goto end;
- }
+ ret = krb5_cc_store_cred(context, ret_ccache, &creds);
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "krb5_cc_store_cred() failed: %s",
+ krb5_get_err_text(context, ret));
+ goto end;
}
+ *ccache = ret_ccache;
+ ret_ccache = NULL;
end:
krb5_free_cred_contents(context, &creds);
if (server)
krb5_free_principal(context, server);
+ if (ret_ccache)
+ krb5_cc_destroy(context, ret_ccache);
+
return ret;
}
int ret;
char *name = NULL;
int all_principals_unkown;
- char *ccname = NULL;
- int fd;
code = krb5_init_context(&kcontext);
if (code) {
goto end;
}
- code = krb5_cc_resolve(kcontext, "MEMORY:", &ccache);
- if (code) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "generating new memory ccache failed: %s",
- krb5_get_err_text(kcontext, code));
- ret = HTTP_INTERNAL_SERVER_ERROR;
- unlink(ccname);
- goto end;
- }
-
if (conf->krb_5_keytab)
krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab);
continue;
}
- code = verify_krb5_user(r, kcontext, client, ccache, sent_pw,
+ code = verify_krb5_user(r, kcontext, client, sent_pw,
conf->krb_service_name,
- keytab, conf->krb_verify_kdc);
+ keytab, conf->krb_verify_kdc, &ccache);
if (!conf->krb_authoritative && code) {
/* if we're not authoritative, we allow authentication to pass on
* to another modules if (and only if) the user is not known to us */
OM_uint32 msg_ctx = 0;
gss_buffer_desc status_string;
char *err_msg;
- size_t len;
err_msg = ap_pstrdup(p, prefix);
do {
gss_name_t server_name = GSS_C_NO_NAME;
char buf[1024];
-#if 0
- /* Don't specify service name. This makes MIT 1.3 not to use replay caches,
- * which causes large problems with the Microsoft krb5 implementation. MS
- * obviously uses a format of the krb5 authenticator that is considered by
- * the MIT as replay (Two valid MS authenticators may contain the same time
- * and utime fields and only differ in the sequential numbers).
- */
snprintf(buf, sizeof(buf), "%s@%s", conf->krb_service_name,
ap_get_server_name(r));
"gss_import_name() failed"));
return HTTP_INTERNAL_SERVER_ERROR;
}
-#endif
major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
GSS_C_NO_OID_SET, GSS_C_ACCEPT,
"gss_acquire_cred() failed"));
return HTTP_INTERNAL_SERVER_ERROR;
}
+
+#ifndef HEIMDAL
+ /*
+ * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as
+ * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to
+ * the replay cache.
+ * This allows us to override the replay cache function vector with
+ * our own one.
+ * Note that this is a dirty hack to get things working and there may
+ * well be unknown side-effects.
+ */
+ {
+ krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
+
+ if (gss_creds && gss_creds->rcache && gss_creds->rcache->ops &&
+ gss_creds->rcache->ops->type &&
+ memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
+ /* Override the rcache operations */
+ gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
+ }
+#endif
return 0;
}
projects / mod_auth_kerb.git / blobdiff