X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmod_auth_kerb.c;h=0574c5deef8717592f164b4c83a44d44509ee9e1;hb=1d08fb323c60e806bccd7d0820505c15f904894e;hp=a404b1f6e92b574722733818f978c16ecaadead7;hpb=172de5ebb610946ac8a30cd0fc9f2eb00d6437ee;p=mod_auth_kerb.git diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c index a404b1f..0574c5d 100644 --- a/src/mod_auth_kerb.c +++ b/src/mod_auth_kerb.c @@ -50,7 +50,7 @@ #include #include -#define MODAUTHKERB_VERSION "5.0-rc7" +#define MODAUTHKERB_VERSION "5.3" #define MECH_NEGOTIATE "Negotiate" #define SERVICE_NAME "HTTP" @@ -65,24 +65,19 @@ #ifdef STANDARD20_MODULE_STUFF #include #include - -#define ap_null_cleanup NULL -#define ap_register_cleanup apr_pool_cleanup_register - -#define ap_pstrdup apr_pstrdup -#define ap_pstrcat apr_pstrcat -#define ap_pcalloc apr_pcalloc -#define ap_psprintf apr_psprintf - -#define ap_base64decode_len apr_base64_decode_len -#define ap_base64decode apr_base64_decode -#define ap_base64encode_len apr_base64_encode_len -#define ap_base64encode apr_base64_encode - -#define ap_table_setn apr_table_setn -#define ap_table_add apr_table_add #else -#define ap_pstrchr_c strchr +#define apr_pstrdup ap_pstrdup +#define apr_psprintf ap_psprintf +#define apr_pstrcat ap_pstrcat +#define apr_pcalloc ap_pcalloc +#define apr_table_setn ap_table_setn +#define apr_table_add ap_table_add +#define apr_base64_decode_len ap_base64decode_len +#define apr_base64_decode ap_base64decode +#define apr_base64_encode_len ap_base64encode_len +#define apr_base64_encode ap_base64encode +#define apr_pool_cleanup_null ap_null_cleanup +#define apr_pool_cleanup_register ap_register_cleanup #endif /* STANDARD20_MODULE_STUFF */ #ifdef _WIN32 @@ -100,6 +95,7 @@ # include # define GSS_C_NT_USER_NAME gss_nt_user_name # define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name +# define GSS_KRB5_NT_PRINCIPAL_NAME gss_nt_krb5_name # define krb5_get_err_text(context,code) error_message(code) #endif #ifndef GSSAPI_SUPPORTS_SPNEGO @@ -117,11 +113,18 @@ #include /* gethostbyname() */ #endif /* KRB4 */ -#ifndef _WIN32 -/* should be HAVE_UNISTD_H instead */ +#if HAVE_UNISTD_H #include #endif +#ifndef KRB5_LIB_FUNCTION +# if defined(_WIN32) +# define KRB5_LIB_FUNCTION _stdcall +# else +# define KRB5_LIB_FUNCTION +# endif +#endif + #ifdef STANDARD20_MODULE_STUFF module AP_MODULE_DECLARE_DATA auth_kerb_module; #else @@ -161,6 +164,7 @@ typedef struct { char *krb_5_keytab; int krb_method_gssapi; int krb_method_k5pass; + int krb5_do_auth_to_local; #endif #ifdef KRB4 char *krb_4_srvtab; @@ -168,6 +172,13 @@ typedef struct { #endif } kerb_auth_config; +typedef struct krb5_conn_data { + char *authline; + char *user; + char *mech; + int last_return; +} krb5_conn_data; + static void set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, int use_krb4, int use_krb5pwd, char *negotiate_ret_value); @@ -223,6 +234,9 @@ static const command_rec kerb_auth_cmds[] = { command("KrbMethodK5Passwd", ap_set_flag_slot, krb_method_k5pass, FLAG, "Enable Kerberos V5 password authentication."), + + command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local, + FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."), #endif #ifdef KRB4 @@ -299,7 +313,6 @@ const krb5_rc_ops_internal mod_auth_kerb_rc_ops = { }; #endif - /*************************************************************************** Auth Configuration Initialization ***************************************************************************/ @@ -307,7 +320,7 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d) { kerb_auth_config *rec; - rec = (kerb_auth_config *) ap_pcalloc(p, sizeof(kerb_auth_config)); + rec = (kerb_auth_config *) apr_pcalloc(p, sizeof(kerb_auth_config)); ((kerb_auth_config *)rec)->krb_verify_kdc = 1; ((kerb_auth_config *)rec)->krb_service_name = NULL; ((kerb_auth_config *)rec)->krb_authoritative = 1; @@ -316,6 +329,7 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d) ((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0; #endif #ifdef KRB5 + ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0; ((kerb_auth_config *)rec)->krb_method_k5pass = 1; ((kerb_auth_config *)rec)->krb_method_gssapi = 1; #endif @@ -329,7 +343,7 @@ static const char* krb5_save_realms(cmd_parms *cmd, void *vsec, const char *arg) { kerb_auth_config *sec = (kerb_auth_config *) vsec; - sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg); + sec->krb_auth_realms= apr_pstrdup(cmd->pool, arg); return NULL; } @@ -357,8 +371,8 @@ log_rerror(const char *file, int line, int level, int status, Username/Password Validation for Krb4 ***************************************************************************/ static int -verify_krb4_user(request_rec *r, char *name, char *instance, char *realm, - char *password, char *linstance, char *srvtab, int krb_verify_kdc) +verify_krb4_user(request_rec *r, const char *name, const char *instance, + const char *realm, const char *password, const char *linstance, const char *srvtab, int krb_verify_kdc) { int ret; char *phost; @@ -406,7 +420,7 @@ verify_krb4_user(request_rec *r, char *name, char *instance, char *realm, return ret; } - ret = krb_rd_req(&ticket, linstance, phost, addr, &authdata, srvtab); + ret = krb_rd_req(&ticket, (char *)linstance, phost, addr, &authdata, (char *)srvtab); if (ret) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Cannot verify krb4 ticket: krb_rd_req() failed: %s", @@ -446,14 +460,7 @@ authenticate_user_krb4pwd(request_rec *r, int all_principals_unkown; sent_pw = ap_pbase64decode(r->pool, auth_line); - sent_name = ap_getword (r->pool, &sent_pw, ':'); - - /* do not allow user to override realm setting of server */ - if (ap_strchr_c(sent_name, '@')) { - log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "specifying realm in user name is prohibited"); - return HTTP_UNAUTHORIZED; - } + sent_name = ap_getword_nulls_nc (r->pool, (char **) &sent_pw, ':'); sent_instance = strchr(sent_name, '.'); if (sent_instance) @@ -468,10 +475,10 @@ authenticate_user_krb4pwd(request_rec *r, return HTTP_INTERNAL_SERVER_ERROR; } - tkt_file_p = ap_pstrdup(r->pool, tkt_file); - ap_register_cleanup(r->pool, tkt_file_p, - krb4_cache_cleanup, ap_null_cleanup); - + tkt_file_p = apr_pstrdup(r->pool, tkt_file); + apr_pool_cleanup_register(r->pool, tkt_file_p, krb4_cache_cleanup, + apr_pool_cleanup_null); + krb_set_tkt_string(tkt_file); all_principals_unkown = 1; @@ -514,14 +521,14 @@ authenticate_user_krb4pwd(request_rec *r, goto end; } - user = ap_pstrdup(r->pool, sent_name); + user = apr_pstrdup(r->pool, sent_name); if (sent_instance) - user = ap_pstrcat(r->pool, user, ".", sent_instance, NULL); - user = ap_pstrcat(r->pool, user, "@", realm, NULL); + user = apr_pstrcat(r->pool, user, ".", sent_instance, NULL); + user = apr_pstrcat(r->pool, user, "@", realm, NULL); MK_USER = user; MK_AUTH_TYPE = "Basic"; - ap_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p); + apr_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p); if (!conf->krb_save_credentials) krb4_cache_cleanup(tkt_file); @@ -567,7 +574,12 @@ verify_krb5_init_creds(request_rec *r, krb5_context context, krb5_creds *creds, } else keytab = ap_req_keytab; +#ifdef HAVE_KRB5_CC_NEW_UNIQUE + ret = krb5_cc_new_unique(context, "MEMORY", NULL, &local_ccache); +#else ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache); +#endif + if (ret) { log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "krb5_cc_resolve() failed when verifying KDC"); @@ -665,12 +677,15 @@ end: static krb5_error_code verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, const char *password, krb5_principal server, - krb5_keytab keytab, int krb_verify_kdc, krb5_ccache *ccache) + krb5_keytab keytab, int krb_verify_kdc, char *krb_service_name, krb5_ccache *ccache) { krb5_creds creds; + krb5_get_init_creds_opt options; krb5_error_code ret; krb5_ccache ret_ccache = NULL; char *name = NULL; + krb5_keytab_entry entry; + krb5_kt_cursor cursor; /* XXX error messages shouldn't be logged here (and in the while() loop in * authenticate_user_krb5pwd() as weell), in order to avoid confusing log @@ -685,9 +700,10 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, free(name); } + krb5_get_init_creds_opt_init(&options); ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, - NULL, 0, NULL, NULL); + NULL, 0, NULL, &options); if (ret) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "krb5_get_init_creds_password() failed: %s", @@ -706,15 +722,50 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, } */ - if (krb_verify_kdc && + /*if (krb_verify_kdc && (ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "failed to verify krb5 credentials: %s", krb5_get_err_text(context, ret)); goto end; + }*/ + + if (krb_verify_kdc) { + if (krb_service_name && strcmp(krb_service_name,"Any") == 0) { + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if(!ret) { + while((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ + if ((ret = verify_krb5_init_creds(r, context, &creds, entry.principal, keytab)) == 0) + break; + } + } + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "failed to verify krb5 credentials: %s", + krb5_get_err_text(context, ret)); + krb5_kt_end_seq_get(context, keytab, &cursor); + krb5_kt_close(context, keytab); + goto end; + } + krb5_kt_end_seq_get(context, keytab, &cursor); + krb5_kt_close(context, keytab); + } + else { + if ((ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "failed to verify krb5 credentials: %s", + krb5_get_err_text(context, ret)); + goto end; + } + } } +#ifdef HAVE_KRB5_CC_NEW_UNIQUE + ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ret_ccache); +#else ret = krb5_cc_resolve(context, "MEMORY:", &ret_ccache); +#endif + if (ret) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "generating new memory ccache failed: %s", @@ -788,7 +839,7 @@ create_krb5_ccache(krb5_context kcontext, int ret; krb5_ccache tmp_ccache = NULL; - ccname = ap_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); + ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); fd = mkstemp(ccname + strlen("FILE:")); if (fd < 0) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, @@ -817,9 +868,9 @@ create_krb5_ccache(krb5_context kcontext, goto end; } - ap_table_setn(r->subprocess_env, "KRB5CCNAME", ccname); - ap_register_cleanup(r->pool, ccname, - krb5_cache_cleanup, ap_null_cleanup); + apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname); + apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup, + apr_pool_cleanup_null); *ccache = tmp_ccache; tmp_ccache = NULL; @@ -904,7 +955,7 @@ authenticate_user_krb5pwd(request_rec *r, } sent_pw = ap_pbase64decode(r->pool, auth_line); - sent_name = ap_getword (r->pool, &sent_pw, ':'); + sent_name = ap_getword_nulls_nc (r->pool, (char **) &sent_pw, ':'); if (sent_pw == NULL || *sent_pw == '\0') { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, @@ -960,7 +1011,7 @@ authenticate_user_krb5pwd(request_rec *r, do { name = (char *) sent_name; if (realms && (realm = ap_getword_white(r->pool, &realms))) - name = ap_psprintf(r->pool, "%s@%s", sent_name, realm); + name = apr_psprintf(r->pool, "%s@%s", sent_name, realm); if (client) { krb5_free_principal(kcontext, client); @@ -976,7 +1027,7 @@ authenticate_user_krb5pwd(request_rec *r, } code = verify_krb5_user(r, kcontext, client, sent_pw, - server, keytab, conf->krb_verify_kdc, &ccache); + server, keytab, conf->krb_verify_kdc, conf->krb_service_name, &ccache); if (!conf->krb_authoritative && code) { /* if we're not authoritative, we allow authentication to pass on * to another modules if (and only if) the user is not known to us */ @@ -1009,7 +1060,7 @@ authenticate_user_krb5pwd(request_rec *r, ret = HTTP_UNAUTHORIZED; goto end; } - MK_USER = ap_pstrdup (r->pool, name); + MK_USER = apr_pstrdup (r->pool, name); MK_AUTH_TYPE = "Basic"; free(name); @@ -1040,14 +1091,18 @@ end: ********************************************************************/ static const char * -get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix) +get_gss_error(request_rec *r, OM_uint32 err_maj, OM_uint32 err_min, char *prefix) { OM_uint32 maj_stat, min_stat; OM_uint32 msg_ctx = 0; gss_buffer_desc status_string; char *err_msg; - err_msg = ap_pstrdup(p, prefix); + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "GSS-API major_status:%8.8x, minor_status:%8.8x", + err_maj, err_min); + + err_msg = apr_pstrdup(r->pool, prefix); do { maj_stat = gss_display_status (&min_stat, err_maj, @@ -1055,11 +1110,16 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix) GSS_C_NO_OID, &msg_ctx, &status_string); - if (GSS_ERROR(maj_stat)) - break; - err_msg = ap_pstrcat(p, err_msg, ": ", (char*) status_string.value, NULL); - gss_release_buffer(&min_stat, &status_string); - + if (!GSS_ERROR(maj_stat)) { + err_msg = apr_pstrcat(r->pool, err_msg, ": ", + (char*) status_string.value, NULL); + gss_release_buffer(&min_stat, &status_string); + } + } while (!GSS_ERROR(maj_stat) && msg_ctx != 0); + + msg_ctx = 0; + err_msg = apr_pstrcat(r->pool, err_msg, " (", NULL); + do { maj_stat = gss_display_status (&min_stat, err_min, GSS_C_MECH_CODE, @@ -1067,11 +1127,12 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix) &msg_ctx, &status_string); if (!GSS_ERROR(maj_stat)) { - err_msg = ap_pstrcat(p, err_msg, - " (", (char*) status_string.value, ")", NULL); + err_msg = apr_pstrcat(r->pool, err_msg, ", ", + (char *) status_string.value, NULL); gss_release_buffer(&min_stat, &status_string); } } while (!GSS_ERROR(maj_stat) && msg_ctx != 0); + err_msg = apr_pstrcat(r->pool, err_msg, ")", NULL); return err_msg; } @@ -1111,7 +1172,7 @@ store_gss_creds(request_rec *r, kerb_auth_config *conf, char *princ_name, if (GSS_ERROR(maj_stat)) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Cannot store delegated credential (%s)", - get_gss_error(r->pool, maj_stat, min_stat, "gss_krb5_copy_ccache")); + get_gss_error(r, maj_stat, min_stat, "gss_krb5_copy_ccache")); goto end; } @@ -1139,16 +1200,14 @@ get_gss_creds(request_rec *r, char buf[1024]; int have_server_princ; -#ifndef HEIMDAL - /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. - 1.3.x are covered by the hack overiding the replay calls */ - if (getenv("KRB5RCACHETYPE") == NULL) - putenv("KRB5RCACHETYPE=none"); -#endif have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL; if (have_server_princ) strncpy(buf, conf->krb_service_name, sizeof(buf)); + else if (conf->krb_service_name && strcmp(conf->krb_service_name,"Any") == 0) { + *server_creds = GSS_C_NO_CREDENTIAL; + return 0; + } else snprintf(buf, sizeof(buf), "%s@%s", (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME, @@ -1163,7 +1222,7 @@ get_gss_creds(request_rec *r, memset(&token, 0, sizeof(token)); if (GSS_ERROR(major_status)) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "%s", get_gss_error(r->pool, major_status, minor_status, + "%s", get_gss_error(r, major_status, minor_status, "gss_import_name() failed")); return HTTP_INTERNAL_SERVER_ERROR; } @@ -1173,7 +1232,7 @@ get_gss_creds(request_rec *r, /* Perhaps we could just ignore this error but it's safer to give up now, I think */ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "%s", get_gss_error(r->pool, major_status, minor_status, + "%s", get_gss_error(r, major_status, minor_status, "gss_display_name() failed")); return HTTP_INTERNAL_SERVER_ERROR; } @@ -1188,7 +1247,7 @@ get_gss_creds(request_rec *r, gss_release_name(&minor_status2, &server_name); if (GSS_ERROR(major_status)) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "%s", get_gss_error(r->pool, major_status, minor_status, + "%s", get_gss_error(r, major_status, minor_status, "gss_acquire_cred() failed")); return HTTP_INTERNAL_SERVER_ERROR; } @@ -1267,6 +1326,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, gss_OID_desc spnego_oid; gss_ctx_id_t context = GSS_C_NO_CONTEXT; gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL; + OM_uint32 ret_flags = 0; *negotiate_ret_value = "\0"; @@ -1305,15 +1365,15 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, goto end; } - input_token.length = ap_base64decode_len(auth_param) + 1; - input_token.value = ap_pcalloc(r->connection->pool, input_token.length); + input_token.length = apr_base64_decode_len(auth_param) + 1; + input_token.value = apr_pcalloc(r->connection->pool, input_token.length); if (input_token.value == NULL) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "ap_pcalloc() failed (not enough memory)"); ret = HTTP_INTERNAL_SERVER_ERROR; goto end; } - input_token.length = ap_base64decode(input_token.value, auth_param); + input_token.length = apr_base64_decode(input_token.value, auth_param); #ifdef GSSAPI_SUPPORTS_SPNEGO accept_sec_token = gss_accept_sec_context; @@ -1335,17 +1395,18 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, &client_name, NULL, &output_token, - NULL, + &ret_flags, NULL, &delegated_cred); log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "Verification returned code %d", major_status); + "Client %s us their credential", + (ret_flags & GSS_C_DELEG_FLAG) ? "sent" : "didn't send"); if (output_token.length) { char *token = NULL; size_t len; - len = ap_base64encode_len(output_token.length) + 1; - token = ap_pcalloc(r->connection->pool, len + 1); + len = apr_base64_encode_len(output_token.length) + 1; + token = apr_pcalloc(r->connection->pool, len + 1); if (token == NULL) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "ap_pcalloc() failed (not enough memory)"); @@ -1353,7 +1414,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, gss_release_buffer(&minor_status2, &output_token); goto end; } - ap_base64encode(token, output_token.value, output_token.length); + apr_base64_encode(token, output_token.value, output_token.length); token[len] = '\0'; *negotiate_ret_value = token; log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, @@ -1369,7 +1430,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, "Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration."); log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "%s", get_gss_error(r->pool, major_status, minor_status, + "%s", get_gss_error(r, major_status, minor_status, "gss_accept_sec_context() failed")); /* Don't offer the Negotiate method again if call to GSS layer failed */ *negotiate_ret_value = NULL; @@ -1391,18 +1452,18 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, gss_release_name(&minor_status, &client_name); if (GSS_ERROR(major_status)) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "%s", get_gss_error(r->pool, major_status, minor_status, - "gss_export_name() failed")); + "%s", get_gss_error(r, major_status, minor_status, + "gss_display_name() failed")); ret = HTTP_INTERNAL_SERVER_ERROR; goto end; } MK_AUTH_TYPE = MECH_NEGOTIATE; - MK_USER = ap_pstrdup(r->pool, output_token.value); + MK_USER = apr_pstrdup(r->pool, output_token.value); if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL) store_gss_creds(r, conf, (char *)output_token.value, delegated_cred); - + gss_release_buffer(&minor_status, &output_token); ret = OK; @@ -1425,17 +1486,88 @@ end: return ret; } -#endif /* KRB5 */ static int -already_succeeded(request_rec *r) +do_krb5_an_to_ln(request_rec *r) { + krb5_error_code code; + int ret = HTTP_INTERNAL_SERVER_ERROR; + char *MK_USER_LNAME = NULL; + krb5_context kcontext = NULL; + krb5_principal client = NULL; + + code = krb5_init_context(&kcontext); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot initialize Kerberos5 context (%d)", code); + goto end; + } + + code = krb5_parse_name(kcontext, MK_USER, &client); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_parse_name() failed: %s", + krb5_get_err_text(kcontext, code)); + goto end; + } + MK_USER_LNAME = apr_pcalloc(r->pool, strlen(MK_USER)+1); + if (MK_USER_LNAME == NULL) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "ap_pcalloc() failed (not enough memory)"); + goto end; + } + code = krb5_aname_to_localname(kcontext, client, strlen(MK_USER), MK_USER_LNAME); + if (code) { + if (code != KRB5_LNAME_NOTRANS) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_aname_to_localname() failed: %s", + krb5_get_err_text(kcontext, code)); + + } + else { + log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, + "krb5_aname_to_localname() found no " + "mapping for principal %s", + MK_USER); + } + } + else { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "kerb_authenticate_a_name_to_local_name %s -> %s", + (MK_USER)?MK_USER:"(NULL)", (MK_USER_LNAME)?MK_USER_LNAME:"(NULL)"); + MK_USER = apr_pstrdup(r->pool, MK_USER_LNAME); + ret = OK; + } + end: + if (client) + krb5_free_principal(kcontext, client); + if (kcontext) + krb5_free_context(kcontext); + return ret; +} + + +#endif /* KRB5 */ + +static krb5_conn_data * +already_succeeded(request_rec *r, char *auth_line) { - if (ap_is_initial_req(r) || MK_AUTH_TYPE == NULL) - return 0; - if (strcmp(MK_AUTH_TYPE, MECH_NEGOTIATE) || - (strcmp(MK_AUTH_TYPE, "Basic") && strchr(MK_USER, '@'))) - return 1; - return 0; + krb5_conn_data *conn_data; + const char keyname[1024]; + + snprintf(keyname, sizeof(keyname) - 1, + "mod_auth_kerb::connection::%s::%ld", r->connection->remote_ip, + r->connection->id); + + if (apr_pool_userdata_get(&conn_data, keyname, r->connection->pool) != 0) + return NULL; + + if(conn_data) { + if(strcmp(conn_data->authline, auth_line) == 0) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request"); + return conn_data; + } + } + return NULL; } static void @@ -1456,12 +1588,12 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, #ifdef KRB5 if (negotiate_ret_value != NULL && conf->krb_method_gssapi) { negoauth_param = (*negotiate_ret_value == '\0') ? MECH_NEGOTIATE : - ap_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL); - ap_table_add(r->err_headers_out, header_name, negoauth_param); + apr_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL); + apr_table_add(r->err_headers_out, header_name, negoauth_param); } if ((use_krb5pwd && conf->krb_method_k5pass) || conf->krb_delegate_basic) { - ap_table_add(r->err_headers_out, header_name, - ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); + apr_table_add(r->err_headers_out, header_name, + apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); set_basic = 1; } #endif @@ -1469,8 +1601,8 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, #ifdef KRB4 if (!set_basic && ((use_krb4 && conf->krb_method_k4pass) || conf->krb_delegate_basic)) - ap_table_add(r->err_headers_out, header_name, - ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); + apr_table_add(r->err_headers_out, header_name, + apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); #endif } @@ -1480,6 +1612,7 @@ kerb_authenticate_user(request_rec *r) kerb_auth_config *conf = (kerb_auth_config *) ap_get_module_config(r->per_dir_config, &auth_kerb_module); + krb5_conn_data *prevauth = NULL; const char *auth_type = NULL; const char *auth_line = NULL; const char *type = NULL; @@ -1487,6 +1620,7 @@ kerb_authenticate_user(request_rec *r) int ret; static int last_return = HTTP_UNAUTHORIZED; char *negotiate_ret_value = NULL; + char keyname[1024]; /* get the type specified in .htaccess */ type = ap_auth_type(r); @@ -1536,10 +1670,8 @@ kerb_authenticate_user(request_rec *r) (strcasecmp(auth_type, "Basic") == 0)) return DECLINED; - if (already_succeeded(r)) - return last_return; - - ret = HTTP_UNAUTHORIZED; + if ( (prevauth = already_succeeded(r, auth_line)) == NULL) { + ret = HTTP_UNAUTHORIZED; #ifdef KRB5 if (use_krb5 && conf->krb_method_gssapi && @@ -1560,20 +1692,76 @@ kerb_authenticate_user(request_rec *r) if (ret == HTTP_UNAUTHORIZED) set_kerb_auth_headers(r, conf, use_krb4, use_krb5, negotiate_ret_value); + } else { + ret = prevauth->last_return; + MK_USER = prevauth->user; + MK_AUTH_TYPE = prevauth->mech; + } + + /* + * save who was auth'd, if it's not already stashed. + */ + if(!prevauth) { + prevauth = (krb5_conn_data *) apr_pcalloc(r->connection->pool, sizeof(krb5_conn_data)); + prevauth->user = apr_pstrdup(r->connection->pool, MK_USER); + prevauth->authline = apr_pstrdup(r->connection->pool, auth_line); + prevauth->mech = apr_pstrdup(r->connection->pool, auth_type); + prevauth->last_return = ret; + snprintf(keyname, sizeof(keyname) - 1, + "mod_auth_kerb::connection::%s::%ld", + r->connection->remote_ip, r->connection->id); + apr_pool_userdata_set(prevauth, keyname, NULL, r->connection->pool); + } + + if (ret == OK && conf->krb5_do_auth_to_local) + ret = do_krb5_an_to_ln(r); + /* XXX log_debug: if ret==OK, log(user XY authenticated) */ last_return = ret; return ret; } +int +have_rcache_type(const char *type) +{ + krb5_error_code ret; + krb5_context context; + krb5_rcache id = NULL; + int found; + + ret = krb5_init_context(&context); + if (ret) + return 0; + + ret = krb5_rc_resolve_full(context, &id, "none:"); + found = (ret == 0); + + if (ret == 0) + krb5_rc_destroy(context, id); + krb5_free_context(context); + + return found; +} /*************************************************************************** Module Setup/Configuration ***************************************************************************/ #ifndef STANDARD20_MODULE_STUFF +static void +kerb_module_init(server_rec *dummy, pool *p) +{ +#ifndef HEIMDAL + /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. + 1.3.x are covered by the hack overiding the replay calls */ + if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) + putenv(strdup("KRB5RCACHETYPE=none")); +#endif +} + module MODULE_VAR_EXPORT auth_kerb_module = { STANDARD_MODULE_STUFF, - NULL, /* module initializer */ + kerb_module_init, /* module initializer */ kerb_dir_create_config, /* per-directory config creator */ NULL, /* per-directory config merger */ NULL, /* per-server config creator */ @@ -1604,6 +1792,13 @@ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) { ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION); +#ifndef HEIMDAL + /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. + 1.3.x are covered by the hack overiding the replay calls */ + if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) + putenv(strdup("KRB5RCACHETYPE=none")); +#endif + return OK; }