X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=src%2Fmod_auth_kerb.c;h=8d133e85fb987dffa4df129ed4356a0dd6d19e09;hb=8cd1c3fe01d71282c52e3c2661f14024ddda08ea;hp=f1cfdd75010e9859fd3a75e9659aeb1c2d10bc38;hpb=f9810e351f14938783c672af35f49a24402685c2;p=mod_auth_kerb.cvs%2F.git diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c index f1cfdd7..8d133e8 100644 --- a/src/mod_auth_kerb.c +++ b/src/mod_auth_kerb.c @@ -11,7 +11,7 @@ */ /* - * Copyright (c) 2004 Masarykova universita + * Copyright (c) 2004-2006 Masarykova universita * (Masaryk University, Brno, Czech Republic) * All rights reserved. * @@ -46,7 +46,14 @@ #include "config.h" -#define MODAUTHKERB_VERSION "5.0-rc4" +#include +#include +#include + +#define MODAUTHKERB_VERSION "5.4" + +#define MECH_NEGOTIATE "Negotiate" +#define SERVICE_NAME "HTTP" #include #include @@ -56,10 +63,32 @@ #include #ifdef STANDARD20_MODULE_STUFF -#include #include +#include +#else +#define apr_pstrdup ap_pstrdup +#define apr_psprintf ap_psprintf +#define apr_pstrcat ap_pstrcat +#define apr_pcalloc ap_pcalloc +#define apr_table_setn ap_table_setn +#define apr_table_add ap_table_add +#define apr_base64_decode_len ap_base64decode_len +#define apr_base64_decode ap_base64decode +#define apr_base64_encode_len ap_base64encode_len +#define apr_base64_encode ap_base64encode +#define apr_pool_cleanup_null ap_null_cleanup +#define apr_pool_cleanup_register ap_register_cleanup +#endif /* STANDARD20_MODULE_STUFF */ + +#if AP_SERVER_MAJORVERSION_NUMBER == 2 && AP_SERVER_MINORVERSION_NUMBER== 2 +#define APACHE22 +#include "mod_auth.h" #endif +#ifdef _WIN32 +#define vsnprintf _vsnprintf +#define snprintf _snprintf +#endif #ifdef KRB5 #include @@ -68,15 +97,19 @@ #else # include # include +# include # define GSS_C_NT_USER_NAME gss_nt_user_name # define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name +# define GSS_KRB5_NT_PRINCIPAL_NAME gss_nt_krb5_name # define krb5_get_err_text(context,code) error_message(code) #endif -#include "spnegokrb5.h" +#ifndef GSSAPI_SUPPORTS_SPNEGO +# include "spnegokrb5.h" +#endif #endif /* KRB5 */ #ifdef KRB4 -/*Prevent warning about closesocket redefinition (Apache's ap_config.h and +/* Prevent warning about closesocket redefinition (Apache's ap_config.h and * MIT Kerberos' port-sockets.h both define it as close) */ #ifdef closesocket # undef closesocket @@ -85,6 +118,18 @@ #include /* gethostbyname() */ #endif /* KRB4 */ +#if HAVE_UNISTD_H +#include +#endif + +#ifndef KRB5_LIB_FUNCTION +# if defined(_WIN32) +# define KRB5_LIB_FUNCTION _stdcall +# else +# define KRB5_LIB_FUNCTION +# endif +#endif + #ifdef STANDARD20_MODULE_STUFF module AP_MODULE_DECLARE_DATA auth_kerb_module; #else @@ -114,12 +159,17 @@ typedef struct { char *krb_auth_realms; int krb_save_credentials; int krb_verify_kdc; - char *krb_service_name; + const char *krb_service_name; int krb_authoritative; + int krb_delegate_basic; +#if 0 + int krb_ssl_preauthentication; +#endif #ifdef KRB5 char *krb_5_keytab; int krb_method_gssapi; int krb_method_k5pass; + int krb5_do_auth_to_local; #endif #ifdef KRB4 char *krb_4_srvtab; @@ -127,23 +177,30 @@ typedef struct { #endif } kerb_auth_config; +typedef struct krb5_conn_data { + char *authline; + char *user; + char *mech; + int last_return; +} krb5_conn_data; + static void set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, int use_krb4, int use_krb5pwd, char *negotiate_ret_value); static const char* -krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg); +krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg); #ifdef STANDARD20_MODULE_STUFF #define command(name, func, var, type, usage) \ - AP_INIT_ ## type (name, func, \ - (void*)APR_XtOffsetOf(kerb_auth_config, var), \ - OR_AUTHCFG, usage) + AP_INIT_ ## type (name, (void*) func, \ + (void*)APR_OFFSETOF(kerb_auth_config, var), \ + OR_AUTHCFG | RSRC_CONF, usage) #else #define command(name, func, var, type, usage) \ { name, func, \ (void*)XtOffsetOf(kerb_auth_config, var), \ - OR_AUTHCFG, type, usage } + OR_AUTHCFG | RSRC_CONF, type, usage } #endif static const command_rec kerb_auth_cmds[] = { @@ -160,10 +217,18 @@ static const command_rec kerb_auth_cmds[] = { FLAG, "Verify tickets against keytab to prevent KDC spoofing attacks."), command("KrbServiceName", ap_set_string_slot, krb_service_name, - TAKE1, "Service name to be used by Apache for authentication."), + TAKE1, "Full or partial service name to be used by Apache for authentication."), command("KrbAuthoritative", ap_set_flag_slot, krb_authoritative, - FLAG, "Set to 'off' to allow access control to be passed along to lower modules if the UserID is not known to this module."), + FLAG, "Set to 'off' to allow access control to be passed along to lower modules iff the UserID is not known to this module."), + + command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic, + FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."), + +#if 0 + command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication, + FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."), +#endif #ifdef KRB5 command("Krb5Keytab", ap_set_file_slot, krb_5_keytab, @@ -174,6 +239,9 @@ static const command_rec kerb_auth_cmds[] = { command("KrbMethodK5Passwd", ap_set_flag_slot, krb_method_k5pass, FLAG, "Enable Kerberos V5 password authentication."), + + command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local, + FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."), #endif #ifdef KRB4 @@ -187,6 +255,69 @@ static const command_rec kerb_auth_cmds[] = { { NULL } }; +#ifdef _WIN32 +int +mkstemp(char *template) +{ + int start, i; + pid_t val; + val = getpid(); + start = strlen(template) - 1; + while(template[start] == 'X') { + template[start] = '0' + val % 10; + val /= 10; + start--; + } + + do{ + int fd; + fd = open(template, O_RDWR | O_CREAT | O_EXCL, 0600); + if(fd >= 0 || errno != EEXIST) + return fd; + i = start + 1; + do{ + if(template[i] == 0) + return -1; + template[i]++; + if(template[i] == '9' + 1) + template[i] = 'a'; + if(template[i] <= 'z') + break; + template[i] = 'a'; + i++; + }while(1); + }while(1); +} +#endif + +#if defined(KRB5) && !defined(HEIMDAL) +/* Needed to work around problems with replay caches */ +#include "mit-internals.h" + +/* This is our replacement krb5_rc_store function */ +static krb5_error_code KRB5_LIB_FUNCTION +mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache, + krb5_donot_replay_internal *donot_replay) +{ + return 0; +} + +/* And this is the operations vector for our replay cache */ +const krb5_rc_ops_internal mod_auth_kerb_rc_ops = { + 0, + "dfl", + krb5_rc_dfl_init, + krb5_rc_dfl_recover, + krb5_rc_dfl_destroy, + krb5_rc_dfl_close, + mod_auth_kerb_rc_store, + krb5_rc_dfl_expunge, + krb5_rc_dfl_get_span, + krb5_rc_dfl_get_name, + krb5_rc_dfl_resolve +}; +#endif + /*************************************************************************** Auth Configuration Initialization ***************************************************************************/ @@ -194,11 +325,16 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d) { kerb_auth_config *rec; - rec = (kerb_auth_config *) ap_pcalloc(p, sizeof(kerb_auth_config)); + rec = (kerb_auth_config *) apr_pcalloc(p, sizeof(kerb_auth_config)); ((kerb_auth_config *)rec)->krb_verify_kdc = 1; - ((kerb_auth_config *)rec)->krb_service_name = "HTTP"; + ((kerb_auth_config *)rec)->krb_service_name = NULL; ((kerb_auth_config *)rec)->krb_authoritative = 1; + ((kerb_auth_config *)rec)->krb_delegate_basic = 0; +#if 0 + ((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0; +#endif #ifdef KRB5 + ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0; ((kerb_auth_config *)rec)->krb_method_k5pass = 1; ((kerb_auth_config *)rec)->krb_method_gssapi = 1; #endif @@ -209,14 +345,16 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d) } static const char* -krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg) +krb5_save_realms(cmd_parms *cmd, void *vsec, const char *arg) { - sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg); + kerb_auth_config *sec = (kerb_auth_config *) vsec; + sec->krb_auth_realms= apr_pstrdup(cmd->pool, arg); return NULL; } -void log_rerror(const char *file, int line, int level, int status, - const request_rec *r, const char *fmt, ...) +static void +log_rerror(const char *file, int line, int level, int status, + const request_rec *r, const char *fmt, ...) { char errstr[1024]; va_list ap; @@ -238,8 +376,8 @@ void log_rerror(const char *file, int line, int level, int status, Username/Password Validation for Krb4 ***************************************************************************/ static int -verify_krb4_user(request_rec *r, char *name, char *instance, char *realm, - char *password, char *linstance, char *srvtab, int krb_verify_kdc) +verify_krb4_user(request_rec *r, const char *name, const char *instance, + const char *realm, const char *password, const char *linstance, const char *srvtab, int krb_verify_kdc) { int ret; char *phost; @@ -287,7 +425,7 @@ verify_krb4_user(request_rec *r, char *name, char *instance, char *realm, return ret; } - ret = krb_rd_req(&ticket, linstance, phost, addr, &authdata, srvtab); + ret = krb_rd_req(&ticket, (char *)linstance, phost, addr, &authdata, (char *)srvtab); if (ret) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Cannot verify krb4 ticket: krb_rd_req() failed: %s", @@ -314,7 +452,7 @@ authenticate_user_krb4pwd(request_rec *r, const char *auth_line) { int ret; - const char *sent_pw; + char *sent_pw; const char *sent_name; char *sent_instance; char tkt_file[32]; @@ -327,14 +465,7 @@ authenticate_user_krb4pwd(request_rec *r, int all_principals_unkown; sent_pw = ap_pbase64decode(r->pool, auth_line); - sent_name = ap_getword (r->pool, &sent_pw, ':'); - - /* do not allow user to override realm setting of server */ - if (strchr(sent_name, '@')) { - log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "specifying realm in user name is prohibited"); - return HTTP_UNAUTHORIZED; - } + sent_name = ap_getword_nulls_nc (r->pool, (char **) &sent_pw, ':'); sent_instance = strchr(sent_name, '.'); if (sent_instance) @@ -349,10 +480,10 @@ authenticate_user_krb4pwd(request_rec *r, return HTTP_INTERNAL_SERVER_ERROR; } - tkt_file_p = ap_pstrdup(r->pool, tkt_file); - ap_register_cleanup(r->pool, tkt_file_p, - krb4_cache_cleanup, ap_null_cleanup); - + tkt_file_p = apr_pstrdup(r->pool, tkt_file); + apr_pool_cleanup_register(r->pool, tkt_file_p, krb4_cache_cleanup, + apr_pool_cleanup_null); + krb_set_tkt_string(tkt_file); all_principals_unkown = 1; @@ -370,6 +501,7 @@ authenticate_user_krb4pwd(request_rec *r, realm = lrealm; } + /* XXX conf->krb_service_name */ ret = verify_krb4_user(r, (char *)sent_name, (sent_instance) ? sent_instance : "", (char *)realm, (char *)sent_pw, @@ -394,14 +526,14 @@ authenticate_user_krb4pwd(request_rec *r, goto end; } - user = ap_pstrdup(r->pool, sent_name); + user = apr_pstrdup(r->pool, sent_name); if (sent_instance) - user = ap_pstrcat(r->pool, user, ".", sent_instance, NULL); - user = ap_pstrcat(r->pool, user, "@", realm, NULL); + user = apr_pstrcat(r->pool, user, ".", sent_instance, NULL); + user = apr_pstrcat(r->pool, user, "@", realm, NULL); MK_USER = user; MK_AUTH_TYPE = "Basic"; - ap_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p); + apr_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p); if (!conf->krb_save_credentials) krb4_cache_cleanup(tkt_file); @@ -420,16 +552,145 @@ end: /*************************************************************************** Username/Password Validation for Krb5 ***************************************************************************/ + +/* MIT kerberos uses replay cache checks even during credential verification + * (i.e. in krb5_verify_init_creds()), which is obviosuly useless. In order to + * avoid problems with multiple apache processes accessing the same rcache file + * we had to use this call instead, which is only a bit modified version of + * krb5_verify_init_creds() */ +static krb5_error_code +verify_krb5_init_creds(request_rec *r, krb5_context context, krb5_creds *creds, + krb5_principal ap_req_server, krb5_keytab ap_req_keytab) +{ + krb5_error_code ret; + krb5_data req; + krb5_ccache local_ccache = NULL; + krb5_creds *new_creds = NULL; + krb5_auth_context auth_context = NULL; + krb5_keytab keytab = NULL; + char *server_name; + + memset(&req, 0, sizeof(req)); + + if (ap_req_keytab == NULL) { + ret = krb5_kt_default (context, &keytab); + if (ret) + return ret; + } else + keytab = ap_req_keytab; + +#ifdef HAVE_KRB5_CC_NEW_UNIQUE + ret = krb5_cc_new_unique(context, "MEMORY", NULL, &local_ccache); +#else + ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache); +#endif + + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_cc_resolve() failed when verifying KDC"); + return ret; + } + + ret = krb5_cc_initialize(context, local_ccache, creds->client); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_cc_initialize() failed when verifying KDC"); + goto end; + } + + ret = krb5_cc_store_cred (context, local_ccache, creds); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_cc_initialize() failed when verifying KDC"); + goto end; + } + + ret = krb5_unparse_name(context, ap_req_server, &server_name); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_unparse_name() failed when verifying KDC"); + goto end; + } + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Trying to verify authenticity of KDC using principal %s", server_name); + free(server_name); + + if (!krb5_principal_compare (context, ap_req_server, creds->server)) { + krb5_creds match_cred; + + memset (&match_cred, 0, sizeof(match_cred)); + + match_cred.client = creds->client; + match_cred.server = ap_req_server; + + ret = krb5_get_credentials (context, 0, local_ccache, + &match_cred, &new_creds); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_get_credentials() failed when verifying KDC"); + goto end; + } + creds = new_creds; + } + + ret = krb5_mk_req_extended (context, &auth_context, 0, NULL, creds, &req); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_mk_req_extended() failed when verifying KDC"); + goto end; + } + + krb5_auth_con_free (context, auth_context); + auth_context = NULL; + ret = krb5_auth_con_init(context, &auth_context); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_auth_con_init() failed when verifying KDC"); + goto end; + } + /* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */ + krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE); + + ret = krb5_rd_req (context, &auth_context, &req, ap_req_server, + keytab, 0, NULL); + if (ret) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "krb5_rd_req() failed when verifying KDC"); + goto end; + } + +end: +#ifdef HEIMDAL + /* XXX Do I ever want to support Heimdal 0.4 ??? */ + krb5_data_free(&req); +#else + krb5_free_data_contents(context, &req); +#endif + if (auth_context) + krb5_auth_con_free (context, auth_context); + if (new_creds) + krb5_free_creds (context, new_creds); + if (ap_req_keytab == NULL && keytab) + krb5_kt_close (context, keytab); + if (local_ccache) + krb5_cc_destroy (context, local_ccache); + + return ret; +} + /* Inspired by krb5_verify_user from Heimdal */ static krb5_error_code verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, - krb5_ccache ccache, const char *password, const char *service, - krb5_keytab keytab, int krb_verify_kdc) + const char *password, krb5_principal server, + krb5_keytab keytab, int krb_verify_kdc, const char *krb_service_name, krb5_ccache *ccache) { krb5_creds creds; - krb5_principal server = NULL; + krb5_get_init_creds_opt options; krb5_error_code ret; - krb5_verify_init_creds_opt opt; + krb5_ccache ret_ccache = NULL; + char *name = NULL; + krb5_keytab_entry entry; + krb5_kt_cursor cursor; /* XXX error messages shouldn't be logged here (and in the while() loop in * authenticate_user_krb5pwd() as weell), in order to avoid confusing log @@ -437,25 +698,23 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, memset(&creds, 0, sizeof(creds)); + ret = krb5_unparse_name(context, principal, &name); + if (ret == 0) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Trying to get TGT for user %s", name); + free(name); + } + + krb5_get_init_creds_opt_init(&options); ret = krb5_get_init_creds_password(context, &creds, principal, (char *)password, NULL, - NULL, 0, NULL, NULL); + NULL, 0, NULL, &options); if (ret) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "krb5_get_init_creds_password() failed: %s", krb5_get_err_text(context, ret)); - return ret; - } - - ret = krb5_sname_to_principal(context, ap_get_server_name(r), service, - KRB5_NT_UNKNOWN, &server); - if (ret) { - log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "krb5_sname_to_principal() failed: %s", - krb5_get_err_text(context, ret)); goto end; } - /* XXX log_debug: lookig for in keytab */ /* XXX { @@ -468,39 +727,80 @@ verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, } */ - krb5_verify_init_creds_opt_init(&opt); - krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, krb_verify_kdc); + /*if (krb_verify_kdc && + (ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "failed to verify krb5 credentials: %s", + krb5_get_err_text(context, ret)); + goto end; + }*/ + + if (krb_verify_kdc) { + if (krb_service_name && strcmp(krb_service_name,"Any") == 0) { + ret = krb5_kt_start_seq_get(context, keytab, &cursor); + if(!ret) { + while((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ + if ((ret = verify_krb5_init_creds(r, context, &creds, entry.principal, keytab)) == 0) + break; + } + } + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "failed to verify krb5 credentials: %s", + krb5_get_err_text(context, ret)); + krb5_kt_end_seq_get(context, keytab, &cursor); + krb5_kt_close(context, keytab); + goto end; + } + krb5_kt_end_seq_get(context, keytab, &cursor); + krb5_kt_close(context, keytab); + } + else { + if ((ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "failed to verify krb5 credentials: %s", + krb5_get_err_text(context, ret)); + goto end; + } + } + } + +#ifdef HAVE_KRB5_CC_NEW_UNIQUE + ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ret_ccache); +#else + ret = krb5_cc_resolve(context, "MEMORY:", &ret_ccache); +#endif + + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "generating new memory ccache failed: %s", + krb5_get_err_text(context, ret)); + goto end; + } - ret = krb5_verify_init_creds(context, &creds, server, keytab, NULL, &opt); + ret = krb5_cc_initialize(context, ret_ccache, principal); if (ret) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "krb5_verify_init_creds() failed: %s", + "krb5_cc_initialize() failed: %s", krb5_get_err_text(context, ret)); goto end; } - - if (ccache) { - ret = krb5_cc_initialize(context, ccache, principal); - if (ret) { - log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "krb5_cc_initialize() failed: %s", - krb5_get_err_text(context, ret)); - goto end; - } - ret = krb5_cc_store_cred(context, ccache, &creds); - if (ret) { - log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "krb5_cc_store_cred() failed: %s", - krb5_get_err_text(context, ret)); - goto end; - } + ret = krb5_cc_store_cred(context, ret_ccache, &creds); + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_cc_store_cred() failed: %s", + krb5_get_err_text(context, ret)); + goto end; } + *ccache = ret_ccache; + ret_ccache = NULL; end: krb5_free_cred_contents(context, &creds); - if (server) - krb5_free_principal(context, server); + if (ret_ccache) + krb5_cc_destroy(context, ret_ccache); + return ret; } @@ -544,7 +844,7 @@ create_krb5_ccache(krb5_context kcontext, int ret; krb5_ccache tmp_ccache = NULL; - ccname = ap_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); + ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); fd = mkstemp(ccname + strlen("FILE:")); if (fd < 0) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, @@ -573,9 +873,9 @@ create_krb5_ccache(krb5_context kcontext, goto end; } - ap_table_setn(r->subprocess_env, "KRB5CCNAME", ccname); - ap_register_cleanup(r->pool, ccname, - krb5_cache_cleanup, ap_null_cleanup); + apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname); + apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup, + apr_pool_cleanup_null); *ccache = tmp_ccache; tmp_ccache = NULL; @@ -631,24 +931,25 @@ store_krb5_creds(krb5_context kcontext, return OK; } - -int authenticate_user_krb5pwd(request_rec *r, - kerb_auth_config *conf, - const char *auth_line) +static int +authenticate_user_krb5pwd(request_rec *r, + kerb_auth_config *conf, + const char *auth_line) { const char *sent_pw = NULL; const char *sent_name = NULL; const char *realms = NULL; + const char *realm = NULL; krb5_context kcontext = NULL; krb5_error_code code; krb5_principal client = NULL; + krb5_principal server = NULL; krb5_ccache ccache = NULL; krb5_keytab keytab = NULL; int ret; char *name = NULL; int all_principals_unkown; - char *ccname = NULL; - int fd; + char *p = NULL; code = krb5_init_context(&kcontext); if (code) { @@ -658,51 +959,70 @@ int authenticate_user_krb5pwd(request_rec *r, } sent_pw = ap_pbase64decode(r->pool, auth_line); - sent_name = ap_getword (r->pool, &sent_pw, ':'); - /* do not allow user to override realm setting of server */ - if (strchr(sent_name, '@')) { + sent_name = ap_getword_nulls_nc (r->pool, (char **) &sent_pw, ':'); + + if (sent_pw == NULL || *sent_pw == '\0') { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "specifying realm in user name is prohibited"); + "empty passwords are not accepted"); ret = HTTP_UNAUTHORIZED; goto end; } - if (sent_pw == NULL || *sent_pw == '\0') { + if (conf->krb_5_keytab) + krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab); + + if (conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL) + ret = krb5_parse_name (kcontext, conf->krb_service_name, &server); + else + ret = krb5_sname_to_principal(kcontext, ap_get_server_name(r), + (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME, + KRB5_NT_SRV_HST, &server); + + if (ret) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "empty passwords are not accepted"); + "Error parsing server name (%s): %s", + (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME, + krb5_get_err_text(kcontext, ret)); ret = HTTP_UNAUTHORIZED; goto end; } - code = krb5_cc_resolve(kcontext, "MEMORY:", &ccache); + code = krb5_unparse_name(kcontext, server, &name); if (code) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "generating new memory ccache failed: %s", - krb5_get_err_text(kcontext, code)); - ret = HTTP_INTERNAL_SERVER_ERROR; - unlink(ccname); + "krb5_unparse_name() failed: %s", + krb5_get_err_text(kcontext, code)); + ret = HTTP_UNAUTHORIZED; goto end; } + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Using %s as server principal for password verification", name); + free(name); + name = NULL; - if (conf->krb_5_keytab) - krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab); + p = strchr(sent_name, '@'); + if (p) { + *p++ = '\0'; + if (conf->krb_auth_realms && !ap_find_token(r->pool, conf->krb_auth_realms, p)) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Specified realm `%s' not allowed by configuration", p); + ret = HTTP_UNAUTHORIZED; + goto end; + } + } + realms = (p) ? p : conf->krb_auth_realms; all_principals_unkown = 1; - realms = conf->krb_auth_realms; do { - if (realms && (code = krb5_set_default_realm(kcontext, - ap_getword_white(r->pool, &realms)))){ - log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "krb5_set_default_realm() failed: %s", - krb5_get_err_text(kcontext, code)); - continue; - } + name = (char *) sent_name; + if (realms && (realm = ap_getword_white(r->pool, &realms))) + name = apr_psprintf(r->pool, "%s@%s", sent_name, realm); if (client) { krb5_free_principal(kcontext, client); client = NULL; } - code = krb5_parse_name(kcontext, sent_name, &client); + + code = krb5_parse_name(kcontext, name, &client); if (code) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "krb5_parse_name() failed: %s", @@ -710,9 +1030,8 @@ int authenticate_user_krb5pwd(request_rec *r, continue; } - code = verify_krb5_user(r, kcontext, client, ccache, sent_pw, - conf->krb_service_name, - keytab, conf->krb_verify_kdc); + code = verify_krb5_user(r, kcontext, client, sent_pw, + server, keytab, conf->krb_verify_kdc, conf->krb_service_name, &ccache); if (!conf->krb_authoritative && code) { /* if we're not authoritative, we allow authentication to pass on * to another modules if (and only if) the user is not known to us */ @@ -745,7 +1064,7 @@ int authenticate_user_krb5pwd(request_rec *r, ret = HTTP_UNAUTHORIZED; goto end; } - MK_USER = ap_pstrdup (r->pool, name); + MK_USER = apr_pstrdup (r->pool, name); MK_AUTH_TYPE = "Basic"; free(name); @@ -755,8 +1074,13 @@ int authenticate_user_krb5pwd(request_rec *r, ret = OK; end: + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "kerb_authenticate_user_krb5pwd ret=%d user=%s authtype=%s", + ret, (MK_USER)?MK_USER:"(NULL)", (MK_AUTH_TYPE)?MK_AUTH_TYPE:"(NULL)"); if (client) krb5_free_principal(kcontext, client); + if (server) + krb5_free_principal(kcontext, server); if (ccache) krb5_cc_destroy(kcontext, ccache); if (keytab) @@ -771,15 +1095,18 @@ end: ********************************************************************/ static const char * -get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix) +get_gss_error(request_rec *r, OM_uint32 err_maj, OM_uint32 err_min, char *prefix) { OM_uint32 maj_stat, min_stat; OM_uint32 msg_ctx = 0; gss_buffer_desc status_string; char *err_msg; - size_t len; - err_msg = ap_pstrdup(p, prefix); + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "GSS-API major_status:%8.8x, minor_status:%8.8x", + err_maj, err_min); + + err_msg = apr_pstrdup(r->pool, prefix); do { maj_stat = gss_display_status (&min_stat, err_maj, @@ -787,11 +1114,16 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix) GSS_C_NO_OID, &msg_ctx, &status_string); - if (GSS_ERROR(maj_stat)) - break; - err_msg = ap_pstrcat(p, err_msg, ": ", (char*) status_string.value, NULL); - gss_release_buffer(&min_stat, &status_string); - + if (!GSS_ERROR(maj_stat)) { + err_msg = apr_pstrcat(r->pool, err_msg, ": ", + (char*) status_string.value, NULL); + gss_release_buffer(&min_stat, &status_string); + } + } while (!GSS_ERROR(maj_stat) && msg_ctx != 0); + + msg_ctx = 0; + err_msg = apr_pstrcat(r->pool, err_msg, " (", NULL); + do { maj_stat = gss_display_status (&min_stat, err_min, GSS_C_MECH_CODE, @@ -799,11 +1131,12 @@ get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix) &msg_ctx, &status_string); if (!GSS_ERROR(maj_stat)) { - err_msg = ap_pstrcat(p, err_msg, - " (", (char*) status_string.value, ")", NULL); + err_msg = apr_pstrcat(r->pool, err_msg, ", ", + (char *) status_string.value, NULL); gss_release_buffer(&min_stat, &status_string); } } while (!GSS_ERROR(maj_stat) && msg_ctx != 0); + err_msg = apr_pstrcat(r->pool, err_msg, ")", NULL); return err_msg; } @@ -843,7 +1176,7 @@ store_gss_creds(request_rec *r, kerb_auth_config *conf, char *princ_name, if (GSS_ERROR(maj_stat)) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Cannot store delegated credential (%s)", - get_gss_error(r->pool, maj_stat, min_stat, "gss_krb5_copy_ccache")); + get_gss_error(r, maj_stat, min_stat, "gss_krb5_copy_ccache")); goto end; } @@ -865,34 +1198,52 @@ get_gss_creds(request_rec *r, kerb_auth_config *conf, gss_cred_id_t *server_creds) { - gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; OM_uint32 major_status, minor_status, minor_status2; gss_name_t server_name = GSS_C_NO_NAME; char buf[1024]; + int have_server_princ; -#if 0 - /* Don't specify service name. This makes MIT 1.3 not to use replay caches, - * which causes large problems with the Microsoft krb5 implementation. MS - * obviously uses a format of the krb5 authenticator that is considered by - * the MIT as replay (Two valid MS authenticators may contain the same time - * and utime fields and only differ in the sequential numbers). - */ - snprintf(buf, sizeof(buf), "%s@%s", conf->krb_service_name, - ap_get_server_name(r)); - input_token.value = buf; - input_token.length = strlen(buf) + 1; + have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL; + if (have_server_princ) + strncpy(buf, conf->krb_service_name, sizeof(buf)); + else if (conf->krb_service_name && strcmp(conf->krb_service_name,"Any") == 0) { + *server_creds = GSS_C_NO_CREDENTIAL; + return 0; + } + else + snprintf(buf, sizeof(buf), "%s@%s", + (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME, + ap_get_server_name(r)); + + token.value = buf; + token.length = strlen(buf) + 1; - major_status = gss_import_name(&minor_status, &input_token, - GSS_C_NT_HOSTBASED_SERVICE, + major_status = gss_import_name(&minor_status, &token, + (have_server_princ) ? (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME : (gss_OID) GSS_C_NT_HOSTBASED_SERVICE, &server_name); + memset(&token, 0, sizeof(token)); if (GSS_ERROR(major_status)) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "%s", get_gss_error(r->pool, major_status, minor_status, + "%s", get_gss_error(r, major_status, minor_status, "gss_import_name() failed")); return HTTP_INTERNAL_SERVER_ERROR; } -#endif + + major_status = gss_display_name(&minor_status, server_name, &token, NULL); + if (GSS_ERROR(major_status)) { + /* Perhaps we could just ignore this error but it's safer to give up now, + I think */ + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "%s", get_gss_error(r, major_status, minor_status, + "gss_display_name() failed")); + return HTTP_INTERNAL_SERVER_ERROR; + } + + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s", + token.value); + gss_release_buffer(&minor_status, &token); major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, @@ -900,10 +1251,35 @@ get_gss_creds(request_rec *r, gss_release_name(&minor_status2, &server_name); if (GSS_ERROR(major_status)) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "%s", get_gss_error(r->pool, major_status, minor_status, + "%s", get_gss_error(r, major_status, minor_status, "gss_acquire_cred() failed")); return HTTP_INTERNAL_SERVER_ERROR; } + +#ifndef HEIMDAL + /* + * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as + * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to + * the replay cache. + * This allows us to override the replay cache function vector with + * our own one. + * Note that this is a dirty hack to get things working and there may + * well be unknown side-effects. + */ + { + krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds; + + /* First we try to verify we are linked with 1.3.x to prevent from + crashing when linked with 1.4.x */ + if (gss_creds && (gss_creds->usage == GSS_C_ACCEPT)) { + if (gss_creds->rcache && gss_creds->rcache->ops && + gss_creds->rcache->ops->type && + memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0) + /* Override the rcache operations */ + gss_creds->rcache->ops = &mod_auth_kerb_rc_ops; + } + } +#endif return 0; } @@ -917,8 +1293,6 @@ cmp_gss_type(gss_buffer_t token, gss_OID oid) if (token->length == 0) return GSS_S_DEFECTIVE_TOKEN; - /* XXX if (token->value == NTLMSSP) log_debug("NTLM mechanism used"); */ - p = token->value; if (*p++ != 0x60) return GSS_S_DEFECTIVE_TOKEN; @@ -948,10 +1322,15 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, int ret; gss_name_t client_name = GSS_C_NO_NAME; gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL; - OM_uint32 (*accept_sec_token)(); + OM_uint32 (KRB5_LIB_FUNCTION *accept_sec_token) + (OM_uint32 *, gss_ctx_id_t *, const gss_cred_id_t, + const gss_buffer_t, const gss_channel_bindings_t, + gss_name_t *, gss_OID *, gss_buffer_t, OM_uint32 *, + OM_uint32 *, gss_cred_id_t *); gss_OID_desc spnego_oid; gss_ctx_id_t context = GSS_C_NO_CONTEXT; gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL; + OM_uint32 ret_flags = 0; *negotiate_ret_value = "\0"; @@ -971,6 +1350,10 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, } sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab); putenv(ktname); +#ifdef HEIMDAL + /* Seems to be also supported by latest MIT */ + gsskrb5_register_acceptor_identity(conf->krb_5_keytab); +#endif } ret = get_gss_creds(r, conf, &server_creds); @@ -986,18 +1369,27 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, goto end; } - input_token.length = ap_base64decode_len(auth_param) + 1; - input_token.value = ap_pcalloc(r->connection->pool, input_token.length); + input_token.length = apr_base64_decode_len(auth_param) + 1; + input_token.value = apr_pcalloc(r->connection->pool, input_token.length); if (input_token.value == NULL) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "ap_pcalloc() failed (not enough memory)"); ret = HTTP_INTERNAL_SERVER_ERROR; goto end; } - input_token.length = ap_base64decode(input_token.value, auth_param); + input_token.length = apr_base64_decode(input_token.value, auth_param); +#ifdef GSSAPI_SUPPORTS_SPNEGO + accept_sec_token = gss_accept_sec_context; +#else accept_sec_token = (cmp_gss_type(&input_token, &spnego_oid) == 0) ? gss_accept_sec_context_spnego : gss_accept_sec_context; +#endif + + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data using KRB5 GSS-API %s", + (accept_sec_token == gss_accept_sec_context) + ? "" + : "with our SPNEGO lib"); major_status = accept_sec_token(&minor_status, &context, @@ -1007,15 +1399,18 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, &client_name, NULL, &output_token, - NULL, + &ret_flags, NULL, &delegated_cred); + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Client %s us their credential", + (ret_flags & GSS_C_DELEG_FLAG) ? "delegated" : "didn't delegate"); if (output_token.length) { char *token = NULL; size_t len; - len = ap_base64encode_len(output_token.length) + 1; - token = ap_pcalloc(r->connection->pool, len + 1); + len = apr_base64_encode_len(output_token.length) + 1; + token = apr_pcalloc(r->connection->pool, len + 1); if (token == NULL) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "ap_pcalloc() failed (not enough memory)"); @@ -1023,15 +1418,23 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, gss_release_buffer(&minor_status2, &output_token); goto end; } - ap_base64encode(token, output_token.value, output_token.length); + apr_base64_encode(token, output_token.value, output_token.length); token[len] = '\0'; *negotiate_ret_value = token; + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "GSS-API token of length %d bytes will be sent back", + output_token.length); gss_release_buffer(&minor_status2, &output_token); + set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value); } if (GSS_ERROR(major_status)) { + if (input_token.length > 7 && memcmp(input_token.value, "NTLMSSP", 7) == 0) + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration."); + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "%s", get_gss_error(r->pool, major_status, minor_status, + "%s", get_gss_error(r, major_status, minor_status, "gss_accept_sec_context() failed")); /* Don't offer the Negotiate method again if call to GSS layer failed */ *negotiate_ret_value = NULL; @@ -1053,21 +1456,18 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, gss_release_name(&minor_status, &client_name); if (GSS_ERROR(major_status)) { log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "%s", get_gss_error(r->pool, major_status, minor_status, - "gss_export_name() failed")); + "%s", get_gss_error(r, major_status, minor_status, + "gss_display_name() failed")); ret = HTTP_INTERNAL_SERVER_ERROR; goto end; } - MK_AUTH_TYPE = "Negotiate"; - MK_USER = ap_pstrdup(r->pool, output_token.value); + MK_AUTH_TYPE = MECH_NEGOTIATE; + MK_USER = apr_pstrdup(r->pool, output_token.value); if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL) store_gss_creds(r, conf, (char *)output_token.value, delegated_cred); - - if (*negotiate_ret_value) - set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value); - + gss_release_buffer(&minor_status, &output_token); ret = OK; @@ -1090,17 +1490,106 @@ end: return ret; } -#endif /* KRB5 */ static int -already_succeeded(request_rec *r) +do_krb5_an_to_ln(request_rec *r) { + krb5_error_code code; + int ret = HTTP_INTERNAL_SERVER_ERROR; + char *MK_USER_LNAME = NULL; + krb5_context kcontext = NULL; + krb5_principal client = NULL; + + code = krb5_init_context(&kcontext); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot initialize Kerberos5 context (%d)", code); + goto end; + } + + code = krb5_parse_name(kcontext, MK_USER, &client); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_parse_name() failed: %s", + krb5_get_err_text(kcontext, code)); + goto end; + } + MK_USER_LNAME = apr_pcalloc(r->pool, strlen(MK_USER)+1); + if (MK_USER_LNAME == NULL) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "ap_pcalloc() failed (not enough memory)"); + goto end; + } + code = krb5_aname_to_localname(kcontext, client, strlen(MK_USER), MK_USER_LNAME); + if (code) { + if (code != KRB5_LNAME_NOTRANS) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_aname_to_localname() failed: %s", + krb5_get_err_text(kcontext, code)); + + } + else { + log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, + "krb5_aname_to_localname() found no " + "mapping for principal %s", + MK_USER); + } + } + else { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "kerb_authenticate_a_name_to_local_name %s -> %s", + (MK_USER)?MK_USER:"(NULL)", (MK_USER_LNAME)?MK_USER_LNAME:"(NULL)"); + MK_USER = apr_pstrdup(r->pool, MK_USER_LNAME); + ret = OK; + } + end: + if (client) + krb5_free_principal(kcontext, client); + if (kcontext) + krb5_free_context(kcontext); + return ret; +} + + +#endif /* KRB5 */ + +static krb5_conn_data * +already_authorized(request_rec *r, char *auth_line) { - if (ap_is_initial_req(r) || MK_AUTH_TYPE == NULL) - return 0; - if (strcmp(MK_AUTH_TYPE, "Negotiate") || - (strcmp(MK_AUTH_TYPE, "Basic") && strchr(MK_USER, '@'))) - return 1; - return 0; + krb5_conn_data *conn_data; + char keyname[1024]; + + snprintf(keyname, sizeof(keyname) - 1, + "mod_auth_kerb::connection::%s::%ld", r->connection->remote_ip, + r->connection->id); + + if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0) + return NULL; + + if(conn_data) { + if(strcmp(conn_data->authline, auth_line) == 0) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request"); + return conn_data; + } + } + return NULL; +} + +static void +save_authorized(request_rec *r, char *auth_line, const char *auth_type, int ret) { + krb5_conn_data *prevauth; + prevauth = (krb5_conn_data *)apr_palloc(r->connection->pool, sizeof(krb5_conn_data)); + + char keyname[1024]; + + prevauth->user = apr_pstrdup(r->connection->pool, MK_USER); + prevauth->authline = apr_pstrdup(r->connection->pool, auth_line); + prevauth->mech = apr_pstrdup(r->connection->pool, auth_type); + prevauth->last_return = ret; + + snprintf(keyname, sizeof(keyname) - 1, + "mod_auth_kerb::connection::%s::%ld", + r->connection->remote_ip, r->connection->id); + apr_pool_userdata_set(prevauth, keyname, NULL, r->connection->pool); } static void @@ -1116,102 +1605,198 @@ set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf, /* get the user realm specified in .htaccess */ auth_name = ap_auth_name(r); - /* XXX should the WWW-Authenticate header be cleared first? */ + /* XXX should the WWW-Authenticate header be cleared first? + * apache in the proxy mode should retain client's authN headers? */ #ifdef KRB5 if (negotiate_ret_value != NULL && conf->krb_method_gssapi) { - negoauth_param = (*negotiate_ret_value == '\0') ? "Negotiate" : - ap_pstrcat(r->pool, "Negotiate ", negotiate_ret_value, NULL); - ap_table_add(r->err_headers_out, header_name, negoauth_param); + negoauth_param = (*negotiate_ret_value == '\0') ? MECH_NEGOTIATE : + apr_pstrcat(r->pool, MECH_NEGOTIATE " ", negotiate_ret_value, NULL); + apr_table_add(r->err_headers_out, header_name, negoauth_param); } - if (use_krb5pwd && conf->krb_method_k5pass) { - ap_table_add(r->err_headers_out, header_name, - ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); + if ((use_krb5pwd && conf->krb_method_k5pass) || conf->krb_delegate_basic) { + apr_table_add(r->err_headers_out, header_name, + apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); set_basic = 1; } #endif #ifdef KRB4 - if (use_krb4 && conf->krb_method_k4pass && !set_basic) - ap_table_add(r->err_headers_out, header_name, - ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); + if (!set_basic && + ((use_krb4 && conf->krb_method_k4pass) || conf->krb_delegate_basic)) + apr_table_add(r->err_headers_out, header_name, + apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL)); #endif } -int kerb_authenticate_user(request_rec *r) +static int +authenticate_user(request_rec *r, char *auth_line, const char *type, int use_krb4, int use_krb5) { - kerb_auth_config *conf = + int ret; + krb5_conn_data *prevauth = NULL; + kerb_auth_config *conf = (kerb_auth_config *) ap_get_module_config(r->per_dir_config, - &auth_kerb_module); + &auth_kerb_module); + char *negotiate_ret_value = NULL; const char *auth_type = NULL; - const char *auth_line = NULL; - const char *type = NULL; - int use_krb5 = 0, use_krb4 = 0; + + if (!auth_line) { + set_kerb_auth_headers(r, conf, use_krb4, use_krb5, + (use_krb5) ? "\0" : NULL); + return HTTP_UNAUTHORIZED; + } + auth_type = ap_getword_white(r->pool, (const char **)&auth_line); + + /* If we are delegating Basic to other modules, DECLINE the request */ + if (conf->krb_delegate_basic && +#ifdef KRB5 + !conf->krb_method_k5pass && +#endif +#ifdef KRB4 + !conf->krb_method_k4pass && +#endif + (strcasecmp(auth_type, "Basic") == 0)) + return DECLINED; + if ((prevauth = already_authorized(r, auth_line)) == NULL) { + ret = HTTP_UNAUTHORIZED; + +#ifdef KRB5 + if (use_krb5 && conf->krb_method_gssapi && + strcasecmp(auth_type, MECH_NEGOTIATE) == 0) { + ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value); + } else if (use_krb5 && (conf->krb_method_k5pass || strcasecmp(type, "Basic"))){ + ret = authenticate_user_krb5pwd(r, conf, auth_line); + } +#endif + +#ifdef KRB4 + if (ret == HTTP_UNAUTHORIZED && use_krb4 && (conf->krb_method_k4pass || strcasecmp(type, "Basic"))) + ret = authenticate_user_krb4pwd(r, conf, auth_line); +#endif + + if (ret == HTTP_UNAUTHORIZED) + set_kerb_auth_headers(r, conf, use_krb4, use_krb5, negotiate_ret_value); + + } else { + ret = prevauth->last_return; + MK_USER = prevauth->user; + MK_AUTH_TYPE = prevauth->mech; + } + + /* + * save who was auth'd, if it's not already stashed. + */ + if(!prevauth) { + save_authorized(r, auth_line, auth_type, ret); + } + + if (ret == OK && conf->krb5_do_auth_to_local) { + ret = do_krb5_an_to_ln(r); + } + return ret; +} + +static authn_status authn_krb_password(request_rec *r, const char *user, + const char *password) +{ + char *auth_line = NULL; int ret; - static int last_return = HTTP_UNAUTHORIZED; - char *negotiate_ret_value = NULL; + const char *type = NULL; + + type = ap_auth_type(r); + auth_line = ap_pbase64encode (r->pool, apr_psprintf(r->pool, "%s:%s", user, password)); + auth_line = apr_psprintf(r->pool, "Basic %s", auth_line); + + ret = authenticate_user(r, auth_line, type, 1, 1); + + if (ret == OK) return AUTH_GRANTED; + else return AUTH_USER_NOT_FOUND; +} +static int +kerb_authenticate_user(request_rec *r) +{ + kerb_auth_config *conf = + (kerb_auth_config *) ap_get_module_config(r->per_dir_config, + &auth_kerb_module); + char *auth_line = NULL; + int ret, use_krb4 = 0, use_krb5 = 0; + const char *type = NULL; + /* get the type specified in .htaccess */ type = ap_auth_type(r); + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "kerb_authenticate_user entered with user %s and auth_type %s", + (MK_USER)?MK_USER:"(NULL)",type?type:"(NULL)"); + if (type && strcasecmp(type, "Kerberos") == 0) use_krb5 = use_krb4 = 1; else if(type && strcasecmp(type, "KerberosV5") == 0) - use_krb4 = 0; + use_krb5 = 1; else if(type && strcasecmp(type, "KerberosV4") == 0) - use_krb5 = 0; + use_krb4 = 1; else return DECLINED; - /* get what the user sent us in the HTTP header */ - auth_line = MK_TABLE_GET(r->headers_in, "Authorization"); - if (!auth_line) { - auth_line = MK_TABLE_GET(r->headers_in, "Proxy-Authorization"); - if (!auth_line) { - set_kerb_auth_headers(r, conf, use_krb4, use_krb5, - (use_krb5) ? "\0" : NULL); - return HTTP_UNAUTHORIZED; - } +#if 0 + if (conf->krb_ssl_preauthentication) { + const char *ssl_client_verify = ssl_var_lookup(r->pool, r->server, + r->connection, r, "SSL_CLIENT_VERIFY"); + + if (ssl_client_verify && strcmp(ssl_client_verify, "SUCCESS") == 0) + return OK; } - auth_type = ap_getword_white(r->pool, &auth_line); +#endif - if (already_succeeded(r)) - return last_return; + /* get what the user sent us in the HTTP header */ + auth_line = (char *)MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY) + ? "Proxy-Authorization" + : "Authorization"); + ret = authenticate_user(r, auth_line, type, use_krb4, use_krb5); - ret = HTTP_UNAUTHORIZED; + return ret; +} -#ifdef KRB5 - if (use_krb5 && conf->krb_method_gssapi && - strcasecmp(auth_type, "Negotiate") == 0) { - ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value); - } else if (use_krb5 && conf->krb_method_k5pass && - strcasecmp(auth_type, "Basic") == 0) { - ret = authenticate_user_krb5pwd(r, conf, auth_line); - } -#endif +int +have_rcache_type(const char *type) +{ + krb5_error_code ret; + krb5_context context; + krb5_rcache id = NULL; + int found; -#ifdef KRB4 - if (ret == HTTP_UNAUTHORIZED && use_krb4 && conf->krb_method_k4pass && - strcasecmp(auth_type, "Basic") == 0) - ret = authenticate_user_krb4pwd(r, conf, auth_line); -#endif + ret = krb5_init_context(&context); + if (ret) + return 0; - if (ret == HTTP_UNAUTHORIZED) - set_kerb_auth_headers(r, conf, use_krb4, use_krb5, negotiate_ret_value); + ret = krb5_rc_resolve_full(context, &id, "none:"); + found = (ret == 0); - /* XXX log_debug: if ret==OK, log(user XY authenticated) */ + if (ret == 0) + krb5_rc_destroy(context, id); + krb5_free_context(context); - last_return = ret; - return ret; + return found; } - /*************************************************************************** Module Setup/Configuration ***************************************************************************/ #ifndef STANDARD20_MODULE_STUFF +static void +kerb_module_init(server_rec *dummy, pool *p) +{ +#ifndef HEIMDAL + /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. + 1.3.x are covered by the hack overiding the replay calls */ + if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) + putenv(strdup("KRB5RCACHETYPE=none")); +#endif +} + module MODULE_VAR_EXPORT auth_kerb_module = { STANDARD_MODULE_STUFF, - NULL, /* module initializer */ + kerb_module_init, /* module initializer */ kerb_dir_create_config, /* per-directory config creator */ NULL, /* per-directory config merger */ NULL, /* per-server config creator */ @@ -1229,6 +1814,12 @@ module MODULE_VAR_EXPORT auth_kerb_module = { NULL, /* process initialization */ NULL, /* process exit/cleanup */ NULL /* [ 1] post read_request handling */ +#ifdef EAPI + ,NULL, /* EAPI: add_module */ + NULL, /* EAPI: remove_module */ + NULL, /* EAPI: rewrite_command */ + NULL /* EAPI: new_connection */ +#endif }; #else static int @@ -1236,11 +1827,27 @@ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) { ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION); +#ifndef HEIMDAL + /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. + 1.3.x are covered by the hack overiding the replay calls */ + if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) + putenv(strdup("KRB5RCACHETYPE=none")); +#endif + return OK; } -void kerb_register_hooks(apr_pool_t *p) +static void +kerb_register_hooks(apr_pool_t *p) { +#ifdef APACHE22 + static const authn_provider authn_krb_provider = { + &authn_krb_password, + NULL + }; + + ap_register_provider(p, AUTHN_PROVIDER_GROUP, "kerberos", "0", &authn_krb_provider); +#endif ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE); }