*/
/*
- * Copyright (c) 2004-2005 Masarykova universita
+ * Copyright (c) 2004-2006 Masarykova universita
* (Masaryk University, Brno, Czech Republic)
* All rights reserved.
*
#include <stdio.h>
#include <stdarg.h>
-#define MODAUTHKERB_VERSION "5.0-rc6"
+#define MODAUTHKERB_VERSION "5.0-rc7"
#define MECH_NEGOTIATE "Negotiate"
#define SERVICE_NAME "HTTP"
const char *krb_service_name;
int krb_authoritative;
int krb_delegate_basic;
-#ifdef 0
+#if 0
int krb_ssl_preauthentication;
#endif
#ifdef KRB5
command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic,
FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."),
-#ifdef 0
+#if 0
command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication,
FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."),
#endif
char buf[1024];
int have_server_princ;
+#ifndef HEIMDAL
+ /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
+ 1.3.x are covered by the hack overiding the replay calls */
+ if (getenv("KRB5RCACHETYPE") == NULL)
+ putenv("KRB5RCACHETYPE=none");
+#endif
+
have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL;
if (have_server_princ)
strncpy(buf, conf->krb_service_name, sizeof(buf));
{
krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
- if (gss_creds && gss_creds->rcache && gss_creds->rcache->ops &&
- gss_creds->rcache->ops->type &&
- memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
+ /* First we try to verify we are linked with 1.3.x to prevent from
+ crashing when linked with 1.4.x */
+ if (gss_creds && (gss_creds->usage == GSS_C_ACCEPT)) {
+ if (gss_creds->rcache && gss_creds->rcache->ops &&
+ gss_creds->rcache->ops->type &&
+ memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
/* Override the rcache operations */
gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
+ }
}
#endif