#include "config.h"
-#define MODAUTHKERB_VERSION "5.0-rc4"
+#define MODAUTHKERB_VERSION "5.0-rc5"
#include <httpd.h>
#include <http_config.h>
#ifdef STANDARD20_MODULE_STUFF
#include <ap_compat.h>
#include <apr_strings.h>
+#include <apr_base64.h>
#endif
-
#ifdef KRB5
#include <krb5.h>
#ifdef HEIMDAL
#else
# include <gssapi/gssapi.h>
# include <gssapi/gssapi_generic.h>
+# include <gssapi/gssapi_krb5.h>
# define GSS_C_NT_USER_NAME gss_nt_user_name
# define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
# define krb5_get_err_text(context,code) error_message(code)
#endif /* KRB5 */
#ifdef KRB4
-/*Prevent warning about closesocket redefinition (Apache's ap_config.h and
+/* Prevent warning about closesocket redefinition (Apache's ap_config.h and
* MIT Kerberos' port-sockets.h both define it as close) */
#ifdef closesocket
# undef closesocket
#include <netdb.h> /* gethostbyname() */
#endif /* KRB4 */
+/* XXX remove dependency on unistd.h ??? */
+#include <unistd.h>
+
#ifdef STANDARD20_MODULE_STUFF
module AP_MODULE_DECLARE_DATA auth_kerb_module;
#else
{ NULL }
};
-#ifdef KRB5
-typedef struct {
- gss_ctx_id_t context;
- gss_cred_id_t server_creds;
-} gss_connection_t;
+#if defined(KRB5) && !defined(HEIMDAL)
+/* Needed to work around problems with replay caches */
+#include "mit-internals.h"
-static gss_connection_t *gss_connection = NULL;
+/* This is our replacement krb5_rc_store function */
+static krb5_error_code
+mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
+ krb5_donot_replay_internal *donot_replay)
+{
+ return 0;
+}
+
+/* And this is the operations vector for our replay cache */
+const krb5_rc_ops_internal mod_auth_kerb_rc_ops = {
+ 0,
+ "dfl",
+ krb5_rc_dfl_init,
+ krb5_rc_dfl_recover,
+ krb5_rc_dfl_destroy,
+ krb5_rc_dfl_close,
+ mod_auth_kerb_rc_store,
+ krb5_rc_dfl_expunge,
+ krb5_rc_dfl_get_span,
+ krb5_rc_dfl_get_name,
+ krb5_rc_dfl_resolve
+};
#endif
/***************************************************************************
Username/Password Validation for Krb5
***************************************************************************/
+
+/* MIT kerberos uses replay cache checks even during credential verification
+ * (i.e. in krb5_verify_init_creds()), which is obviosuly useless. In order to
+ * avoid problems with multiple apache processes accessing the same rcache file
+ * we had to use this call instead, which is only a bit modified version of
+ * krb5_verify_init_creds() */
+static krb5_error_code
+verify_krb5_init_creds(krb5_context context, krb5_creds *creds,
+ krb5_principal ap_req_server, krb5_keytab ap_req_keytab)
+{
+ krb5_error_code ret;
+ krb5_data req;
+ krb5_ccache local_ccache = NULL;
+ krb5_creds *new_creds = NULL;
+ krb5_auth_context auth_context = NULL;
+ krb5_keytab keytab = NULL;
+
+ memset(&req, 0, sizeof(req));
+
+ if (ap_req_keytab == NULL) {
+ ret = krb5_kt_default (context, &keytab);
+ if (ret)
+ return ret;
+ } else
+ keytab = ap_req_keytab;
+
+ ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache);
+ if (ret)
+ return ret;
+
+ ret = krb5_cc_initialize(context, local_ccache, creds->client);
+ if (ret)
+ goto end;
+
+ ret = krb5_cc_store_cred (context, local_ccache, creds);
+ if (ret)
+ goto end;
+
+ if (!krb5_principal_compare (context, ap_req_server, creds->server)) {
+ krb5_creds match_cred;
+
+ memset (&match_cred, 0, sizeof(match_cred));
+
+ match_cred.client = creds->client;
+ match_cred.server = ap_req_server;
+
+ ret = krb5_get_credentials (context, 0, local_ccache,
+ &match_cred, &new_creds);
+ if (ret)
+ goto end;
+ creds = new_creds;
+ }
+
+ ret = krb5_mk_req_extended (context, &auth_context, 0, NULL, creds, &req);
+ if (ret)
+ goto end;
+
+ krb5_auth_con_free (context, auth_context);
+ auth_context = NULL;
+ ret = krb5_auth_con_init(context, &auth_context);
+ if (ret)
+ goto end;
+ /* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */
+ krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+
+ ret = krb5_rd_req (context, &auth_context, &req, ap_req_server,
+ keytab, 0, NULL);
+
+end:
+ krb5_free_data_contents(context, &req);
+ if (auth_context)
+ krb5_auth_con_free (context, auth_context);
+ if (new_creds)
+ krb5_free_creds (context, new_creds);
+ if (ap_req_keytab == NULL && keytab)
+ krb5_kt_close (context, keytab);
+ if (local_ccache)
+ krb5_cc_destroy (context, local_ccache);
+
+ return ret;
+}
+
/* Inspired by krb5_verify_user from Heimdal */
static krb5_error_code
verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
- krb5_ccache ccache, const char *password, const char *service,
- krb5_keytab keytab, int krb_verify_kdc)
+ const char *password, const char *service, krb5_keytab keytab,
+ int krb_verify_kdc, krb5_ccache *ccache)
{
krb5_creds creds;
krb5_principal server = NULL;
krb5_error_code ret;
- krb5_verify_init_creds_opt opt;
+ krb5_ccache ret_ccache = NULL;
/* XXX error messages shouldn't be logged here (and in the while() loop in
* authenticate_user_krb5pwd() as weell), in order to avoid confusing log
krb5_get_err_text(context, ret));
goto end;
}
+ /* XXX log_debug: lookig for <server_princ> in keytab */
/* XXX
{
}
*/
- krb5_verify_init_creds_opt_init(&opt);
- krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, krb_verify_kdc);
+ if (krb_verify_kdc &&
+ (ret = verify_krb5_init_creds(context, &creds, server, keytab))) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "failed to verify krb5 credentials: %s",
+ krb5_get_err_text(context, ret));
+ goto end;
+ }
+
+ ret = krb5_cc_resolve(context, "MEMORY:", &ret_ccache);
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "generating new memory ccache failed: %s",
+ krb5_get_err_text(context, ret));
+ goto end;
+ }
- ret = krb5_verify_init_creds(context, &creds, server, keytab, NULL, &opt);
+ ret = krb5_cc_initialize(context, ret_ccache, principal);
if (ret) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "krb5_verify_init_creds() failed: %s",
+ "krb5_cc_initialize() failed: %s",
krb5_get_err_text(context, ret));
goto end;
}
-
- if (ccache) {
- ret = krb5_cc_initialize(context, ccache, principal);
- if (ret) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "krb5_cc_initialize() failed: %s",
- krb5_get_err_text(context, ret));
- goto end;
- }
- ret = krb5_cc_store_cred(context, ccache, &creds);
- if (ret) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "krb5_cc_store_cred() failed: %s",
- krb5_get_err_text(context, ret));
- goto end;
- }
+ ret = krb5_cc_store_cred(context, ret_ccache, &creds);
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "krb5_cc_store_cred() failed: %s",
+ krb5_get_err_text(context, ret));
+ goto end;
}
+ *ccache = ret_ccache;
+ ret_ccache = NULL;
end:
krb5_free_cred_contents(context, &creds);
if (server)
krb5_free_principal(context, server);
+ if (ret_ccache)
+ krb5_cc_destroy(context, ret_ccache);
+
return ret;
}
int ret;
char *name = NULL;
int all_principals_unkown;
- char *ccname = NULL;
- int fd;
code = krb5_init_context(&kcontext);
if (code) {
goto end;
}
- code = krb5_cc_resolve(kcontext, "MEMORY:", &ccache);
- if (code) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "generating new memory ccache failed: %s",
- krb5_get_err_text(kcontext, code));
- ret = HTTP_INTERNAL_SERVER_ERROR;
- unlink(ccname);
- goto end;
- }
-
if (conf->krb_5_keytab)
krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab);
continue;
}
- code = verify_krb5_user(r, kcontext, client, ccache, sent_pw,
+ code = verify_krb5_user(r, kcontext, client, sent_pw,
conf->krb_service_name,
- keytab, conf->krb_verify_kdc);
+ keytab, conf->krb_verify_kdc, &ccache);
if (!conf->krb_authoritative && code) {
/* if we're not authoritative, we allow authentication to pass on
* to another modules if (and only if) the user is not known to us */
OM_uint32 msg_ctx = 0;
gss_buffer_desc status_string;
char *err_msg;
- size_t len;
err_msg = ap_pstrdup(p, prefix);
do {
}
static int
-cleanup_gss_connection(void *data)
-{
- OM_uint32 minor_status;
- gss_connection_t *gss_conn = (gss_connection_t *)data;
-
- if (data == NULL)
- return OK;
- if (gss_conn->context != GSS_C_NO_CONTEXT)
- gss_delete_sec_context(&minor_status, &gss_conn->context,
- GSS_C_NO_BUFFER);
- if (gss_conn->server_creds != GSS_C_NO_CREDENTIAL)
- gss_release_cred(&minor_status, &gss_conn->server_creds);
-
- gss_connection = NULL;
-
- return OK;
-}
-
-static int
store_gss_creds(request_rec *r, kerb_auth_config *conf, char *princ_name,
gss_cred_id_t delegated_cred)
{
gss_name_t server_name = GSS_C_NO_NAME;
char buf[1024];
-#if 0
- /* Don't specify service name. This makes MIT 1.3 not to use replay caches,
- * which causes large problems with the Microsoft krb5 implementation. MS
- * obviously uses a format of the krb5 authenticator that is considered by
- * the MIT as replay (Two valid MS authenticators may contain the same time
- * and utime fields and only differ in the sequential numbers).
- */
snprintf(buf, sizeof(buf), "%s@%s", conf->krb_service_name,
ap_get_server_name(r));
"gss_import_name() failed"));
return HTTP_INTERNAL_SERVER_ERROR;
}
-#endif
+
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s", buf);
major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
GSS_C_NO_OID_SET, GSS_C_ACCEPT,
"gss_acquire_cred() failed"));
return HTTP_INTERNAL_SERVER_ERROR;
}
+
+#ifndef HEIMDAL
+ /*
+ * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as
+ * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to
+ * the replay cache.
+ * This allows us to override the replay cache function vector with
+ * our own one.
+ * Note that this is a dirty hack to get things working and there may
+ * well be unknown side-effects.
+ */
+ {
+ krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
+
+ if (gss_creds && gss_creds->rcache && gss_creds->rcache->ops &&
+ gss_creds->rcache->ops->type &&
+ memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
+ /* Override the rcache operations */
+ gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
+ }
+#endif
return 0;
}
gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
OM_uint32 (*accept_sec_token)();
gss_OID_desc spnego_oid;
+ gss_ctx_id_t context = GSS_C_NO_CONTEXT;
+ gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
*negotiate_ret_value = "\0";
spnego_oid.length = 6;
spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
- if (gss_connection == NULL) {
- gss_connection = ap_pcalloc(r->connection->pool, sizeof(*gss_connection));
- if (gss_connection == NULL) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "ap_pcalloc() failed (not enough memory)");
- ret = HTTP_INTERNAL_SERVER_ERROR;
- goto end;
- }
- memset(gss_connection, 0, sizeof(*gss_connection));
- ap_register_cleanup(r->connection->pool, gss_connection, cleanup_gss_connection, ap_null_cleanup);
- }
-
if (conf->krb_5_keytab) {
char *ktname;
/* we don't use the ap_* calls here, since the string passed to putenv()
putenv(ktname);
}
- if (gss_connection->server_creds == GSS_C_NO_CREDENTIAL) {
- ret = get_gss_creds(r, conf, &gss_connection->server_creds);
- if (ret)
- goto end;
- }
+ ret = get_gss_creds(r, conf, &server_creds);
+ if (ret)
+ goto end;
/* ap_getword() shifts parameter */
auth_param = ap_getword_white(r->pool, &auth_line);
gss_accept_sec_context_spnego : gss_accept_sec_context;
major_status = accept_sec_token(&minor_status,
- &gss_connection->context,
- gss_connection->server_creds,
+ &context,
+ server_creds,
&input_token,
GSS_C_NO_CHANNEL_BINDINGS,
&client_name,
goto end;
}
+#if 0
+ /* This is a _Kerberos_ module so multiple authentication rounds aren't
+ * supported. If we wanted a generic GSS authentication we would have to do
+ * some magic with exporting context etc. */
if (major_status & GSS_S_CONTINUE_NEEDED) {
- /* Some GSSAPI mechanism (eg GSI from Globus) may require multiple
- * iterations to establish authentication */
ret = HTTP_UNAUTHORIZED;
goto end;
}
+#endif
major_status = gss_display_name(&minor_status, client_name, &output_token, NULL);
gss_release_name(&minor_status, &client_name);
if (client_name != GSS_C_NO_NAME)
gss_release_name(&minor_status, &client_name);
- if (! major_status & GSS_S_CONTINUE_NEEDED)
- cleanup_gss_connection(gss_connection);
+ if (server_creds != GSS_C_NO_CREDENTIAL)
+ gss_release_cred(&minor_status, &server_creds);
+
+ if (context != GSS_C_NO_CONTEXT)
+ gss_delete_sec_context(&minor_status, &context, GSS_C_NO_BUFFER);
return ret;
}
/* get the user realm specified in .htaccess */
auth_name = ap_auth_name(r);
- /* XXX should the WWW-Authenticate header be cleared first? */
+ /* XXX should the WWW-Authenticate header be cleared first?
+ * apache in the proxy mode should retain client's authN headers? */
#ifdef KRB5
if (negotiate_ret_value != NULL && conf->krb_method_gssapi) {
negoauth_param = (*negotiate_ret_value == '\0') ? "Negotiate" :
return DECLINED;
/* get what the user sent us in the HTTP header */
- auth_line = MK_TABLE_GET(r->headers_in, "Authorization");
+ auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY)
+ ? "Proxy-Authorization"
+ : "Authorization");
if (!auth_line) {
- auth_line = MK_TABLE_GET(r->headers_in, "Proxy-Authorization");
- if (!auth_line) {
- set_kerb_auth_headers(r, conf, use_krb4, use_krb5,
- (use_krb5) ? "\0" : NULL);
- return HTTP_UNAUTHORIZED;
- }
+ set_kerb_auth_headers(r, conf, use_krb4, use_krb5,
+ (use_krb5) ? "\0" : NULL);
+ return HTTP_UNAUTHORIZED;
}
auth_type = ap_getword_white(r->pool, &auth_line);
if (ret == HTTP_UNAUTHORIZED)
set_kerb_auth_headers(r, conf, use_krb4, use_krb5, negotiate_ret_value);
+ /* XXX log_debug: if ret==OK, log(user XY authenticated) */
+
last_return = ret;
return ret;
}
NULL, /* process initialization */
NULL, /* process exit/cleanup */
NULL /* [ 1] post read_request handling */
+#ifdef EAPI
+ ,NULL, /* EAPI: add_module */
+ NULL, /* EAPI: remove_module */
+ NULL, /* EAPI: rewrite_command */
+ NULL /* EAPI: new_connection */
+#endif
};
#else
static int