X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmod_auth_kerb.c;h=312a8bd69657782410c84b7d9b9610a71d736434;hb=a9e74ac42d086351d0ea5656298e69e950c82b59;hp=4b5505db8eaf280f268189ea4cbe9f1ee57d0861;hpb=2328e8b0a455031fe162129afa7d782836004c92;p=mod_auth_kerb.cvs%2F.git

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index 4b5505d..312a8bd 100644
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -11,7 +11,7 @@
  */
 
 /*
- * Copyright (c) 2004-2005 Masarykova universita
+ * Copyright (c) 2004-2006 Masarykova universita
  * (Masaryk University, Brno, Czech Republic)
  * All rights reserved.
  *
@@ -50,8 +50,10 @@
 #include <stdio.h>
 #include <stdarg.h>
 
-#define MODAUTHKERB_VERSION "5.0-rc6"
+#define MODAUTHKERB_VERSION "5.1"
+
 #define MECH_NEGOTIATE "Negotiate"
+#define SERVICE_NAME "HTTP"
 
 #include <httpd.h>
 #include <http_config.h>
@@ -61,9 +63,26 @@
 #include <http_request.h>
 
 #ifdef STANDARD20_MODULE_STUFF
-#include <ap_compat.h>
 #include <apr_strings.h>
 #include <apr_base64.h>
+#else
+#define apr_pstrdup		ap_pstrdup
+#define apr_psprintf		ap_psprintf
+#define apr_pstrcat		ap_pstrcat
+#define apr_pcalloc		ap_pcalloc
+#define apr_table_setn		ap_table_setn
+#define apr_table_add		ap_table_add
+#define apr_base64_decode_len	ap_base64decode_len
+#define apr_base64_decode	ap_base64decode
+#define apr_base64_encode_len	ap_base64encode_len
+#define apr_base64_encode	ap_base64encode
+#define apr_pool_cleanup_null	ap_null_cleanup
+#define apr_pool_cleanup_register	ap_register_cleanup
+#endif /* STANDARD20_MODULE_STUFF */
+
+#ifdef _WIN32
+#define vsnprintf _vsnprintf
+#define snprintf _snprintf
 #endif
 
 #ifdef KRB5
@@ -76,9 +95,12 @@
 #  include <gssapi/gssapi_krb5.h>
 #  define GSS_C_NT_USER_NAME gss_nt_user_name
 #  define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
+#  define GSS_KRB5_NT_PRINCIPAL_NAME gss_nt_krb5_name
 #  define krb5_get_err_text(context,code) error_message(code)
 #endif
-#include "spnegokrb5.h"
+#ifndef GSSAPI_SUPPORTS_SPNEGO
+#  include "spnegokrb5.h"
+#endif
 #endif /* KRB5 */
 
 #ifdef KRB4
@@ -91,11 +113,8 @@
 #include <netdb.h> /* gethostbyname() */
 #endif /* KRB4 */
 
-#ifdef WIN32
-#define vsnprintf _vsnprintf
-#define snprintf _snprintf
-#else
-/* XXX remove dependency on unistd.h ??? */
+#ifndef _WIN32
+/* should be HAVE_UNISTD_H instead */
 #include <unistd.h>
 #endif
 
@@ -128,9 +147,12 @@ typedef struct {
 	char *krb_auth_realms;
 	int krb_save_credentials;
 	int krb_verify_kdc;
-	char *krb_service_name;
+	const char *krb_service_name;
 	int krb_authoritative;
 	int krb_delegate_basic;
+#if 0
+	int krb_ssl_preauthentication;
+#endif
 #ifdef KRB5
 	char *krb_5_keytab;
 	int krb_method_gssapi;
@@ -147,12 +169,12 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
                       int use_krb4, int use_krb5pwd, char *negotiate_ret_value);
 
 static const char*
-krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, const char *arg);
+krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);
 
 #ifdef STANDARD20_MODULE_STUFF
 #define command(name, func, var, type, usage)           \
   AP_INIT_ ## type (name, (void*) func,                 \
-        (void*)APR_XtOffsetOf(kerb_auth_config, var),   \
+        (void*)APR_OFFSETOF(kerb_auth_config, var),     \
         OR_AUTHCFG | RSRC_CONF, usage)
 #else
 #define command(name, func, var, type, usage) 		\
@@ -175,7 +197,7 @@ static const command_rec kerb_auth_cmds[] = {
      FLAG, "Verify tickets against keytab to prevent KDC spoofing attacks."),
 
    command("KrbServiceName", ap_set_string_slot, krb_service_name,
-     TAKE1, "Service name to be used by Apache for authentication."),
+     TAKE1, "Full or partial service name to be used by Apache for authentication."),
 
    command("KrbAuthoritative", ap_set_flag_slot, krb_authoritative,
      FLAG, "Set to 'off' to allow access control to be passed along to lower modules iff the UserID is not known to this module."),
@@ -183,6 +205,11 @@ static const command_rec kerb_auth_cmds[] = {
    command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic,
      FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."),
 
+#if 0
+   command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication,
+     FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."),
+#endif
+
 #ifdef KRB5
    command("Krb5Keytab", ap_set_file_slot, krb_5_keytab,
      TAKE1, "Location of Kerberos V5 keytab file."),
@@ -205,7 +232,7 @@ static const command_rec kerb_auth_cmds[] = {
    { NULL }
 };
 
-#ifdef WIN32
+#ifdef _WIN32
 int
 mkstemp(char *template)
 {
@@ -245,7 +272,7 @@ mkstemp(char *template)
 #include "mit-internals.h"
 
 /* This is our replacement krb5_rc_store function */
-static krb5_error_code
+static krb5_error_code KRB5_LIB_FUNCTION
 mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
                        krb5_donot_replay_internal *donot_replay)
 {
@@ -276,11 +303,14 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d)
 {
 	kerb_auth_config *rec;
 
-	rec = (kerb_auth_config *) ap_pcalloc(p, sizeof(kerb_auth_config));
+	rec = (kerb_auth_config *) apr_pcalloc(p, sizeof(kerb_auth_config));
         ((kerb_auth_config *)rec)->krb_verify_kdc = 1;
-	((kerb_auth_config *)rec)->krb_service_name = "HTTP";
+	((kerb_auth_config *)rec)->krb_service_name = NULL;
 	((kerb_auth_config *)rec)->krb_authoritative = 1;
 	((kerb_auth_config *)rec)->krb_delegate_basic = 0;
+#if 0
+	((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0;
+#endif
 #ifdef KRB5
 	((kerb_auth_config *)rec)->krb_method_k5pass = 1;
 	((kerb_auth_config *)rec)->krb_method_gssapi = 1;
@@ -292,14 +322,16 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d)
 }
 
 static const char*
-krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, const char *arg)
+krb5_save_realms(cmd_parms *cmd, void *vsec, const char *arg)
 {
-   sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg);
+   kerb_auth_config *sec = (kerb_auth_config *) vsec;
+   sec->krb_auth_realms= apr_pstrdup(cmd->pool, arg);
    return NULL;
 }
 
-void log_rerror(const char *file, int line, int level, int status,
-                const request_rec *r, const char *fmt, ...)
+static void
+log_rerror(const char *file, int line, int level, int status,
+           const request_rec *r, const char *fmt, ...)
 {
    char errstr[1024];
    va_list ap;
@@ -413,7 +445,7 @@ authenticate_user_krb4pwd(request_rec *r,
    sent_name = ap_getword (r->pool, &sent_pw, ':');
 
    /* do not allow user to override realm setting of server */
-   if (strchr(sent_name, '@')) {
+   if (ap_strchr_c(sent_name, '@')) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 	         "specifying realm in user name is prohibited");
       return HTTP_UNAUTHORIZED;
@@ -453,6 +485,7 @@ authenticate_user_krb4pwd(request_rec *r,
 	 realm = lrealm;
       }
 
+      /* XXX conf->krb_service_name */
       ret = verify_krb4_user(r, (char *)sent_name, 
 	                     (sent_instance) ? sent_instance : "",
 	    		     (char *)realm, (char *)sent_pw,
@@ -627,11 +660,10 @@ end:
 /* Inspired by krb5_verify_user from Heimdal */
 static krb5_error_code
 verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
-      		 const char *password, const char *service, krb5_keytab keytab,
-		 int krb_verify_kdc, krb5_ccache *ccache)
+      		 const char *password, krb5_principal server,
+		 krb5_keytab keytab, int krb_verify_kdc, krb5_ccache *ccache)
 {
    krb5_creds creds;
-   krb5_principal server = NULL;
    krb5_error_code ret;
    krb5_ccache ret_ccache = NULL;
    char *name = NULL;
@@ -659,16 +691,6 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
       goto end;
    }
 
-   ret = krb5_sname_to_principal(context, ap_get_server_name(r), service, 
-	 			 KRB5_NT_SRV_HST, &server);
-   if (ret) {
-      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-	         "krb5_sname_to_principal() failed: %s",
-		 krb5_get_err_text(context, ret));
-      goto end;
-   }
-   /* XXX log_debug: lookig for <server_princ> in keytab */
-
    /* XXX
    {
       char *realm;
@@ -716,8 +738,6 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
 
 end:
    krb5_free_cred_contents(context, &creds);
-   if (server)
-      krb5_free_principal(context, server);
    if (ret_ccache)
       krb5_cc_destroy(context, ret_ccache);
 
@@ -764,7 +784,7 @@ create_krb5_ccache(krb5_context kcontext,
    int ret;
    krb5_ccache tmp_ccache = NULL;
 
-   ccname = ap_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
+   ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir);
    fd = mkstemp(ccname + strlen("FILE:"));
    if (fd < 0) {
       log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
@@ -793,9 +813,9 @@ create_krb5_ccache(krb5_context kcontext,
       goto end;
    }
 
-   ap_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
-   ap_register_cleanup(r->pool, ccname,
-		       krb5_cache_cleanup, ap_null_cleanup);
+   apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
+   apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup,
+	 		     apr_pool_cleanup_null);
 
    *ccache = tmp_ccache;
    tmp_ccache = NULL;
@@ -852,9 +872,10 @@ store_krb5_creds(krb5_context kcontext,
 }
 
 
-int authenticate_user_krb5pwd(request_rec *r,
-	                      kerb_auth_config *conf,
-			      const char *auth_line)
+static int
+authenticate_user_krb5pwd(request_rec *r,
+                          kerb_auth_config *conf,
+                          const char *auth_line)
 {
    const char      *sent_pw = NULL; 
    const char      *sent_name = NULL;
@@ -863,6 +884,7 @@ int authenticate_user_krb5pwd(request_rec *r,
    krb5_context    kcontext = NULL;
    krb5_error_code code;
    krb5_principal  client = NULL;
+   krb5_principal  server = NULL;
    krb5_ccache     ccache = NULL;
    krb5_keytab     keytab = NULL;
    int             ret;
@@ -890,6 +912,34 @@ int authenticate_user_krb5pwd(request_rec *r,
    if (conf->krb_5_keytab)
       krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab);
 
+   if (conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL)
+      ret = krb5_parse_name (kcontext, conf->krb_service_name, &server);
+   else
+      ret = krb5_sname_to_principal(kcontext, ap_get_server_name(r),
+	    			    (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME,
+				    KRB5_NT_SRV_HST, &server);
+
+   if (ret) {
+      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+	         "Error parsing server name (%s): %s",
+		 (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME,
+		 krb5_get_err_text(kcontext, ret));
+      ret = HTTP_UNAUTHORIZED;
+      goto end;
+   }
+
+   code = krb5_unparse_name(kcontext, server, &name);
+   if (code) {
+      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+	         "krb5_unparse_name() failed: %s",
+		 krb5_get_err_text(kcontext, code));
+      ret = HTTP_UNAUTHORIZED;
+      goto end;
+   }
+   log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Using %s as server principal for password verification", name);
+   free(name);
+   name = NULL;
+
    p = strchr(sent_name, '@');
    if (p) {
       *p++ = '\0';
@@ -906,7 +956,7 @@ int authenticate_user_krb5pwd(request_rec *r,
    do {
       name = (char *) sent_name;
       if (realms && (realm = ap_getword_white(r->pool, &realms)))
-	 name = ap_psprintf(r->pool, "%s@%s", sent_name, realm);
+	 name = apr_psprintf(r->pool, "%s@%s", sent_name, realm);
 
       if (client) {
 	 krb5_free_principal(kcontext, client);
@@ -921,9 +971,8 @@ int authenticate_user_krb5pwd(request_rec *r,
 	 continue;
       }
 
-      code = verify_krb5_user(r, kcontext, client, sent_pw, 
-	    		      conf->krb_service_name, 
-	    		      keytab, conf->krb_verify_kdc, &ccache);
+      code = verify_krb5_user(r, kcontext, client, sent_pw,
+	    		      server, keytab, conf->krb_verify_kdc, &ccache);
       if (!conf->krb_authoritative && code) {
 	 /* if we're not authoritative, we allow authentication to pass on
 	  * to another modules if (and only if) the user is not known to us */
@@ -956,7 +1005,7 @@ int authenticate_user_krb5pwd(request_rec *r,
       ret = HTTP_UNAUTHORIZED;
       goto end;
    }
-   MK_USER = ap_pstrdup (r->pool, name);
+   MK_USER = apr_pstrdup (r->pool, name);
    MK_AUTH_TYPE = "Basic";
    free(name);
 
@@ -971,6 +1020,8 @@ end:
 	      ret, (MK_USER)?MK_USER:"(NULL)", (MK_AUTH_TYPE)?MK_AUTH_TYPE:"(NULL)");
    if (client)
       krb5_free_principal(kcontext, client);
+   if (server)
+      krb5_free_principal(kcontext, server);
    if (ccache)
       krb5_cc_destroy(kcontext, ccache);
    if (keytab)
@@ -992,7 +1043,7 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
    gss_buffer_desc status_string;
    char *err_msg;
 
-   err_msg = ap_pstrdup(p, prefix);
+   err_msg = apr_pstrdup(p, prefix);
    do {
       maj_stat = gss_display_status (&min_stat,
 	                             err_maj,
@@ -1002,7 +1053,7 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
 				     &status_string);
       if (GSS_ERROR(maj_stat))
 	 break;
-      err_msg = ap_pstrcat(p, err_msg, ": ", (char*) status_string.value, NULL);
+      err_msg = apr_pstrcat(p, err_msg, ": ", (char*) status_string.value, NULL);
       gss_release_buffer(&min_stat, &status_string);
       
       maj_stat = gss_display_status (&min_stat,
@@ -1012,7 +1063,7 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
 				     &msg_ctx,
 				     &status_string);
       if (!GSS_ERROR(maj_stat)) {
-	 err_msg = ap_pstrcat(p, err_msg,
+	 err_msg = apr_pstrcat(p, err_msg,
 	                      " (", (char*) status_string.value, ")", NULL);
 	 gss_release_buffer(&min_stat, &status_string);
       }
@@ -1082,15 +1133,22 @@ get_gss_creds(request_rec *r,
    OM_uint32 major_status, minor_status, minor_status2;
    gss_name_t server_name = GSS_C_NO_NAME;
    char buf[1024];
+   int have_server_princ;
+
 
-   snprintf(buf, sizeof(buf), "%s@%s", conf->krb_service_name,
-	    ap_get_server_name(r));
+   have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL;
+   if (have_server_princ)
+      strncpy(buf, conf->krb_service_name, sizeof(buf));
+   else
+      snprintf(buf, sizeof(buf), "%s@%s",
+	       (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME,
+	       ap_get_server_name(r));
 
    token.value = buf;
    token.length = strlen(buf) + 1;
 
    major_status = gss_import_name(&minor_status, &token,
-	 			  GSS_C_NT_HOSTBASED_SERVICE,
+	 			  (have_server_princ) ? GSS_KRB5_NT_PRINCIPAL_NAME : GSS_C_NT_HOSTBASED_SERVICE,
 				  &server_name);
    memset(&token, 0, sizeof(token));
    if (GSS_ERROR(major_status)) {
@@ -1138,11 +1196,15 @@ get_gss_creds(request_rec *r,
    {
       krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
 
-      if (gss_creds && gss_creds->rcache && gss_creds->rcache->ops &&
-	  gss_creds->rcache->ops->type &&  
-	  memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
+      /* First we try to verify we are linked with 1.3.x to prevent from
+         crashing when linked with 1.4.x */
+      if (gss_creds && (gss_creds->usage == GSS_C_ACCEPT)) {
+	 if (gss_creds->rcache && gss_creds->rcache->ops &&
+	     gss_creds->rcache->ops->type &&  
+	     memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
           /* Override the rcache operations */
 	 gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
+      }
    }
 #endif
    
@@ -1187,8 +1249,8 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
   int ret;
   gss_name_t client_name = GSS_C_NO_NAME;
   gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
-  OM_uint32 
-     (*accept_sec_token)(OM_uint32 *, gss_ctx_id_t *, const gss_cred_id_t,
+  OM_uint32 (KRB5_LIB_FUNCTION *accept_sec_token)
+     			 (OM_uint32 *, gss_ctx_id_t *, const gss_cred_id_t,
 			 const gss_buffer_t, const gss_channel_bindings_t,
 			 gss_name_t *, gss_OID *, gss_buffer_t, OM_uint32 *,
 			 OM_uint32 *, gss_cred_id_t *);
@@ -1233,20 +1295,23 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
      goto end;
   }
 
-  input_token.length = ap_base64decode_len(auth_param) + 1;
-  input_token.value = ap_pcalloc(r->connection->pool, input_token.length);
+  input_token.length = apr_base64_decode_len(auth_param) + 1;
+  input_token.value = apr_pcalloc(r->connection->pool, input_token.length);
   if (input_token.value == NULL) {
      log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 	   	"ap_pcalloc() failed (not enough memory)");
      ret = HTTP_INTERNAL_SERVER_ERROR;
      goto end;
   }
-  input_token.length = ap_base64decode(input_token.value, auth_param);
+  input_token.length = apr_base64_decode(input_token.value, auth_param);
 
+#ifdef GSSAPI_SUPPORTS_SPNEGO
+  accept_sec_token = gss_accept_sec_context;
+#else
   accept_sec_token = (cmp_gss_type(&input_token, &spnego_oid) == 0) ?
      			gss_accept_sec_context_spnego : gss_accept_sec_context;
+#endif
 
-  /* pridat: Read client Negotiate data of length XXX, prefix YYY */
   log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data using %s",
 	     (accept_sec_token == gss_accept_sec_context)
 	       ? "KRB5 GSS-API"
@@ -1269,8 +1334,8 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
      char *token = NULL;
      size_t len;
      
-     len = ap_base64encode_len(output_token.length) + 1;
-     token = ap_pcalloc(r->connection->pool, len + 1);
+     len = apr_base64_encode_len(output_token.length) + 1;
+     token = apr_pcalloc(r->connection->pool, len + 1);
      if (token == NULL) {
 	log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 	           "ap_pcalloc() failed (not enough memory)");
@@ -1278,13 +1343,14 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
 	gss_release_buffer(&minor_status2, &output_token);
 	goto end;
      }
-     ap_base64encode(token, output_token.value, output_token.length);
+     apr_base64_encode(token, output_token.value, output_token.length);
      token[len] = '\0';
      *negotiate_ret_value = token;
      log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
 	        "GSS-API token of length %d bytes will be sent back",
 		output_token.length);
      gss_release_buffer(&minor_status2, &output_token);
+     set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value);
   }
 
   if (GSS_ERROR(major_status)) {
@@ -1316,20 +1382,17 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
   if (GSS_ERROR(major_status)) {
     log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 	       "%s", get_gss_error(r->pool, major_status, minor_status,
-		                   "gss_export_name() failed"));
+		                   "gss_display_name() failed"));
     ret = HTTP_INTERNAL_SERVER_ERROR;
     goto end;
   }
 
   MK_AUTH_TYPE = MECH_NEGOTIATE;
-  MK_USER = ap_pstrdup(r->pool, output_token.value);
+  MK_USER = apr_pstrdup(r->pool, output_token.value);
 
   if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
      store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
 
-  if (*negotiate_ret_value)
-     set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value);
-
   gss_release_buffer(&minor_status, &output_token);
 
   ret = OK;
@@ -1383,12 +1446,12 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
 #ifdef KRB5
    if (negotiate_ret_value != NULL && conf->krb_method_gssapi) {
       negoauth_param = (*negotiate_ret_value == '\0') ? MECH_NEGOTIATE :
-	          ap_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL);
-      ap_table_add(r->err_headers_out, header_name, negoauth_param);
+	          apr_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL);
+      apr_table_add(r->err_headers_out, header_name, negoauth_param);
    }
    if ((use_krb5pwd && conf->krb_method_k5pass) || conf->krb_delegate_basic) {
-      ap_table_add(r->err_headers_out, header_name,
-		   ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
+      apr_table_add(r->err_headers_out, header_name,
+		   apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
       set_basic = 1;
    }
 #endif
@@ -1401,7 +1464,8 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
 #endif
 }
 
-int kerb_authenticate_user(request_rec *r)
+static int
+kerb_authenticate_user(request_rec *r)
 {
    kerb_auth_config *conf = 
       (kerb_auth_config *) ap_get_module_config(r->per_dir_config,
@@ -1430,6 +1494,16 @@ int kerb_authenticate_user(request_rec *r)
    else
       return DECLINED;
 
+#if 0
+   if (conf->krb_ssl_preauthentication) {
+      const char *ssl_client_verify = ssl_var_lookup(r->pool, r->server,
+	    	r->connection, r, "SSL_CLIENT_VERIFY");
+
+      if (ssl_client_verify && strcmp(ssl_client_verify, "SUCCESS") == 0)
+	 return OK;
+   }
+#endif
+
    /* get what the user sent us in the HTTP header */
    auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY)
 	                                    ? "Proxy-Authorization"
@@ -1482,14 +1556,46 @@ int kerb_authenticate_user(request_rec *r)
    return ret;
 }
 
+int
+have_rcache_type(const char *type)
+{
+   krb5_error_code ret;
+   krb5_context context;
+   krb5_rcache id;
+   int found;
+
+   memset(&id, 0, sizeof(id));
+
+   ret = krb5_init_context(&context);
+   if (ret)
+      return 0;
+
+   ret = krb5_rc_resolve_type(context, &id, type);
+   found = (ret == 0);
+
+   krb5_free_context(context);
+
+   return found;
+}
 
 /*************************************************************************** 
  Module Setup/Configuration
  ***************************************************************************/
 #ifndef STANDARD20_MODULE_STUFF
+static void
+kerb_module_init(server_rec *dummy, pool *p)
+{
+#ifndef HEIMDAL
+   /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later.
+      1.3.x are covered by the hack overiding the replay calls */
+   if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
+      putenv(strdup("KRB5RCACHETYPE=none"));
+#endif
+}
+
 module MODULE_VAR_EXPORT auth_kerb_module = {
 	STANDARD_MODULE_STUFF,
-	NULL,				/*      module initializer            */
+	kerb_module_init,		/*      module initializer            */
 	kerb_dir_create_config,		/*      per-directory config creator  */
 	NULL,				/*      per-directory config merger   */
 	NULL,				/*      per-server    config creator  */
@@ -1520,10 +1626,18 @@ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
       		  apr_pool_t *ptemp, server_rec *s)
 {
    ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
+#ifndef HEIMDAL
+   /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later.
+      1.3.x are covered by the hack overiding the replay calls */
+   if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
+      putenv(strdup("KRB5RCACHETYPE=none"));
+#endif
+   
    return OK;
 }
 
-void kerb_register_hooks(apr_pool_t *p)
+static void
+kerb_register_hooks(apr_pool_t *p)
 {
    ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);
    ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);