summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Simo Sorce [Sat, 13 Jun 2015 20:18:39 +0000 (16:18 -0400)]
Split HMAC_BUFFER out as a separate publi function
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sat, 11 Apr 2015 21:27:21 +0000 (17:27 -0400)]
Set KRB5CCNAME on follow up requests with session
If the original context establishment delegated credentials, set
the KRB5CCNAME variable to the proper file name for follow up
connections that uses the session to validate access.
Closes #18
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 9 Jun 2015 17:30:57 +0000 (13:30 -0400)]
Use a compiler to marshall/unmarshall the sessions
This way changes are easier, all is needed is to change the session.asn1
file to add or remove elements, and different session types can also be
supported at the same time.
Isaac Boukris [Sun, 7 Jun 2015 21:52:30 +0000 (00:52 +0300)]
Disable connection-bound for basic-auth
Clients don't expect this and therefore might inappropriately reuse the
connection for another user identity (with or without creds).
This is currently more of an issue due to issue 22, example:
curl -v http://myhost/ -u usera:passa --next http://myhost/ -u userb:passb
Closes #36
Reviewed-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sat, 6 Jun 2015 14:18:43 +0000 (10:18 -0400)]
Fix segfault if req->main is NULL
Seen in the wild.
Closes #35
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 25 May 2015 15:04:08 +0000 (17:04 +0200)]
Allow raw NTLM authentication
Some clients may decide to use raw NTLM authentication instead
of wrapping it into a Negotiate (SPNEGO) authentication request.
If the NTLMSSP mechanism is allowed/supported then allow this request
to be processed.
Closes #23
Simo Sorce [Mon, 25 May 2015 14:46:23 +0000 (16:46 +0200)]
Add GssapiAllowedMech option
This option allows the admin to list the mechanisms that can be used for
authentication. An empty list allows any locally supported mechanisms.
Simo Sorce [Mon, 1 Jun 2015 21:48:15 +0000 (17:48 -0400)]
Move acquire_cred functions into a helper
This makes the code more readable and easier to deal with.
Side effect: now we always acquire credentials
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 1 Jun 2015 21:55:34 +0000 (17:55 -0400)]
More work on keeping cred_store functions optional
Some more definitions that depend on cred_store functions were
not properly ifdef-ed
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 1 Jun 2015 19:22:18 +0000 (15:22 -0400)]
Fix conditional support for gss_acquire_cred_from
This function is supported only on some GSSAPI versions.
Keep it optional.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 25 May 2015 13:53:44 +0000 (15:53 +0200)]
Find the right server name when using basic auth
When S4U2Proxy is used in combination with Basic Auth, the gss_inquire_cred()
call will return the client name instead of the server name we need.
Detect this case and aquire a separate set of credentials in that case.
Fixes #28
Joe Orton [Sat, 23 May 2015 11:15:53 +0000 (12:15 +0100)]
Ignore generated files.
Reviewed-by: Simo Sorce <simo@redhat.com>
Joe Orton [Sat, 23 May 2015 12:04:43 +0000 (13:04 +0100)]
Export only the symbol named auth_gssapi_module
The only entry point into the module DSO is the module structure itself;
use libtool's export-symbols linker trick to hide all the other global
symbols, which otherwise are potentially visible outside the module
itself (SEAL_* etc).
Reviewed-by: Simo Sorce <simo@redhat.com>
Joe Orton [Sat, 23 May 2015 11:26:36 +0000 (12:26 +0100)]
Remove all uses of APLOG_NOERRNO
This directive is deprecated and has no effect in all httpd 2.x releases.
Reviewed-by: Simo Sorce <simo@redhat.com>
Joe Orton [Sat, 23 May 2015 11:24:03 +0000 (12:24 +0100)]
Fix typo.
Reviewed-by: Simo Sorce <simo@redhat.com>
Joe Orton [Sat, 23 May 2015 11:09:06 +0000 (12:09 +0100)]
Drop OOM handling.
In httpd/APR it is best practice to assume that memory allocation always
succeeds, which simplifies module code.
APR internally calls abort() if memory allocation ever actually fails,
so in pratice you cannot trigger these code paths anyway.
Reviewed-by: Simo Sorce <simo@redhat.com>
Joe Orton [Sat, 23 May 2015 11:04:11 +0000 (12:04 +0100)]
Use the "ssl_is_https" definition from mod_ssl.h.
Reviewed-by: Simo Sorce <simo@redhat.com>
Isaac Boukris [Sat, 25 Apr 2015 12:36:40 +0000 (15:36 +0300)]
Add GssapiSignalPersistentAuth directive
Controls whether to send the Persistent-Auth header, and sets it only
when necessary/appropriate
Reviewed-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 5 May 2015 17:36:04 +0000 (13:36 -0400)]
Export variable with session expiration time
Closes #16
Simo Sorce [Thu, 23 Apr 2015 18:51:00 +0000 (14:51 -0400)]
Revert "Use aes-256-gcm rather than aes-128-cbc"
This reverts commit
e9c92795d87a316ea47f6bf37c9636e86eec57e7.
AESGCM is a neat idea but it is not really appropriate to be used in
mod_auth_gssapi because we cannot gurantee that the nonce will never be
reused. It is not very probable, and it is also not easy to force the
server to generate so many encyrpted sessions to have a good chance of
a collision that I know of, but better to avoid the whole issue, than
risk unforseen cases where it may happen.
Simo Sorce [Tue, 21 Apr 2015 15:48:38 +0000 (11:48 -0400)]
Bump version to 1.2.0
Simo Sorce [Sun, 19 Apr 2015 19:59:51 +0000 (15:59 -0400)]
Properly complete context establishment
On success do not forget to send the last negotiate packet (if any)
to the client within the 200 Reply.
Fixes #21
Simo Sorce [Tue, 14 Apr 2015 17:52:05 +0000 (13:52 -0400)]
Add support for delegate creds on basic auth
When doing fallback basic auth, we may also want to honor the
configured directive about storing delegated credentials.
Detect if we are configured to store them and set the appopriate
init_sec_context flag that will cause the accept_sec_context call
to get valid delegated credentials for later storage.
Simo Sorce [Thu, 2 Apr 2015 22:00:51 +0000 (18:00 -0400)]
Bump version to 1.1.1
Simo Sorce [Mon, 30 Mar 2015 16:48:30 +0000 (12:48 -0400)]
Handle authentication on subrequests
In some cases (like during directory listing) Apache will re-run the
authentication code. Many GSSAPI mechanism have replay detection so
we cannot simply rerun the accept_sec_context phase. Others require
multiple steps. When authntication has already been estalished just
implicitly consider the authentication successfully performed and
copy the user name. Otherwise fail.
If a subrequest hits a location with a different mod_auth_gssapi
configuration warn but do not error off right away.
Fixes #15
Simo Sorce [Thu, 26 Mar 2015 20:30:56 +0000 (16:30 -0400)]
Escape principal name to remove the path separator
The principla name is used as a file name, any embedded path separators
are going to cause trouble if used in the file name, so we need to escape
them away. Usee ~ as the escape chracter (~~ to escape ~ itself)
Fixes #14
Simo Sorce [Thu, 12 Mar 2015 19:49:09 +0000 (15:49 -0400)]
Bump version to 1.1.0
Nathaniel McCallum [Tue, 10 Mar 2015 14:57:23 +0000 (10:57 -0400)]
Use aes-256-gcm rather than aes-128-cbc
Also, remove all the manual HMAC code since it is no longer needed.
The end result should be faster and stronger authenticated encryption.
Closes #12
Reviewed-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 10 Mar 2015 21:14:33 +0000 (17:14 -0400)]
Do not free orig_ccache
It realy is const memory referenced internally by MIT's gssapi.
Freeing it will cause a segfault on the next invocation.
This memory is kept in thread local storage and freed by gssapi itself
as needed.
Fixes #11
Simo Sorce [Tue, 10 Mar 2015 16:23:12 +0000 (12:23 -0400)]
Improve Basic Auth based logins
Set a per-thread Credentials Cache Name that will be thrown away once
authentication is done. This handles both an issue with stomping on
ccaches if two authentications happen in concurrent threads, as well
as issues with gss_acquire_cred_with_password() reusing the ccache
without actually performing an AS request.
Fixes #11
Simo Sorce [Tue, 10 Mar 2015 17:32:36 +0000 (13:32 -0400)]
Fix random number generation
Untested code is broken code :(
Simo Sorce [Tue, 10 Mar 2015 16:15:50 +0000 (12:15 -0400)]
Use apr function for random bytes
The apr function is thread safe while the OpenSSL one depdns on setting
up custom locking, which is hard in a library.
Simo Sorce [Mon, 9 Mar 2015 14:46:55 +0000 (10:46 -0400)]
Documentation fixes
Fix GssapiDelegCcacheDir examples and add all the required options to
make GssapiUseS4U2Proxy really work.
Thanks to David Kupka for testing that highlighted these issues.
Simo Sorce [Fri, 6 Mar 2015 14:30:51 +0000 (09:30 -0500)]
Remove forward basic auth and fix docs
Fixes #8
Simo Sorce [Thu, 5 Mar 2015 22:26:45 +0000 (17:26 -0500)]
Add support for handling Basic Auth
Support either passing Basic Auth Through to another module,
or handling it directly through gss_acquire_cred_with_password()
Fixes #8
Simo Sorce [Thu, 5 Mar 2015 17:05:45 +0000 (12:05 -0500)]
Do not leak acquired_cred
Nathaniel McCallum [Tue, 3 Feb 2015 14:20:15 +0000 (15:20 +0100)]
Replace block size constants with actual block size
Simo Sorce [Sat, 8 Nov 2014 19:20:41 +0000 (14:20 -0500)]
Bump version to 1.0.4
Simo Sorce [Tue, 21 Oct 2014 17:15:29 +0000 (13:15 -0400)]
Fix error message copy&paste error
Simo Sorce [Tue, 14 Oct 2014 13:17:46 +0000 (09:17 -0400)]
Fix build on some platforms by adding extra flags
For some reason all the necessary CFALGS are not returned by simply
querying the CFLAGS from apxs. We also need to query EXTRA_CPPFLAGS
apparently.
Simo Sorce [Mon, 13 Oct 2014 20:46:26 +0000 (16:46 -0400)]
Properly initialize logging
We need to call APLOG_USE_MODULE() so that the module name is reported
properly in log lines, and per module logging level can be set.
Fixes #6
Simo Sorce [Mon, 13 Oct 2014 20:35:57 +0000 (16:35 -0400)]
Attempt to use sessions only when they are enabled
Simo Sorce [Fri, 12 Sep 2014 14:40:06 +0000 (10:40 -0400)]
Bump version to 1.0.3
Simo Sorce [Thu, 11 Sep 2014 21:01:26 +0000 (17:01 -0400)]
Change the modules build process
USe automake directives to directly invoke the apxs favored libtool,
and use APXS only to perform the final install.
Fixes #4
Simo Sorce [Fri, 29 Aug 2014 17:29:42 +0000 (13:29 -0400)]
Include only necessary libs when calling apxs
Drop cflags and libs options that make apxs unhappy
Closes #3
Simo Sorce [Tue, 26 Aug 2014 22:11:40 +0000 (18:11 -0400)]
Bump version to 1.0.2
Simo Sorce [Tue, 26 Aug 2014 22:06:49 +0000 (18:06 -0400)]
Add instructions to README file
Simo Sorce [Tue, 26 Aug 2014 21:10:18 +0000 (17:10 -0400)]
Fix GssapiCredStore usage
This allows to always define the keytab in terms of GssapiCredStore
options instead of having to set a KRB5_KTNAME variable.
Fixes Issue 2
Simo Sorce [Thu, 14 Aug 2014 12:58:59 +0000 (08:58 -0400)]
Release v1.0.1
Simo Sorce [Thu, 14 Aug 2014 12:38:46 +0000 (08:38 -0400)]
Fix typo in contrib spec file
Alexander Bokovoy [Thu, 14 Aug 2014 11:50:27 +0000 (14:50 +0300)]
Announce module name and version in the server signature
Alexander Bokovoy [Thu, 14 Aug 2014 11:45:51 +0000 (14:45 +0300)]
GssapiLocalName is about translating principals to local usernames
Fix wrong description
Alexander Bokovoy [Thu, 14 Aug 2014 09:26:44 +0000 (12:26 +0300)]
Make dependency on openssl for EVP functions explicit
Simo Sorce [Tue, 12 Aug 2014 16:50:39 +0000 (12:50 -0400)]
Suppress -Werror=format-security errors
Simo Sorce [Tue, 12 Aug 2014 16:47:03 +0000 (12:47 -0400)]
Add openssl BuildRequires
Simo Sorce [Mon, 11 Aug 2014 22:20:17 +0000 (18:20 -0400)]
Add simple spec file
Simo Sorce [Mon, 11 Aug 2014 22:17:03 +0000 (18:17 -0400)]
Quick and dirty fix for make dist
Simo Sorce [Mon, 4 Aug 2014 13:29:07 +0000 (09:29 -0400)]
Release version 1.0.0
Simo Sorce [Thu, 10 Jul 2014 10:53:00 +0000 (06:53 -0400)]
Add S4U2Proxy support
SU2Proxy support is enabled when GssapiUseS4U2Proxy is set to On
When S4U2Proxy is enabled GssapiDelegCcacheDir is used to determine
where delegated credentials are stored. The ccache type used is always
of type FILE and is located in the provided directory (defaults to /tmp).
The credentials are stored in a file named after the client credentials
so the directory SHOUL NOT be world writeable if a mutiuser system is
used as ccache file names are predictable.
Simo Sorce [Mon, 7 Jul 2014 15:42:57 +0000 (11:42 -0400)]
Add permanent session keys support
Keys (encryption+MAC) can now be stored in apache configuration.
The key must be a base64 encoded blob of original length of 32 bytes
(16 bytes for encryption and 16 for the MAC key)
The format is:
key:<base64 blob>
Simo Sorce [Mon, 21 Apr 2014 20:36:56 +0000 (16:36 -0400)]
Add mod_session support
By setting GssapiUseSessions we enable the module to store a bearer
token with the user and gss names in the client, this way we can allow
clients to perform authentication once but then remain authenticaed
for the duration of the session or until the original credentials expire.
The Secure cookie used to store the token is encrypted using a randomly
generated AES key at process startup. This means multiple apache servers
will not be able to use the same cookie, however the client will reauth
transparently if the cookie cannot be read.
Simo Sorce [Thu, 10 Jul 2014 09:43:55 +0000 (05:43 -0400)]
Add mod_auth_gssapi.h
Move all includes into it and also include config.h which was missing
causing some ifdefed code not to be compiled.
Also address includes conflict between httpd.h and config.h and the
PACKAGE_* variables.
Simo Sorce [Thu, 24 Apr 2014 19:35:22 +0000 (15:35 -0400)]
Fix typo
Simo Sorce [Mon, 21 Apr 2014 15:00:11 +0000 (11:00 -0400)]
Use more readable configuration option names.
Simo Sorce [Wed, 16 Apr 2014 01:08:52 +0000 (21:08 -0400)]
Simplify configure.ac and makefile.am files
Remove unnecessary cruft, that was only making things harder to read.
Simo Sorce [Wed, 16 Apr 2014 00:54:47 +0000 (20:54 -0400)]
Use appropriate flags so make dist works
On my system I have high UIds, without tar-pax make dist fails.
Also add other useful parameters
Simo Sorce [Wed, 16 Apr 2014 00:50:36 +0000 (20:50 -0400)]
Set context data on the pool with a destructor
This way the context is available for the duration of the connection.
It is also properly freed if the connection is interrupted before the context
is fully established.
Simo Sorce [Thu, 10 Apr 2014 05:22:46 +0000 (01:22 -0400)]
Fix use after free
On errors mc->ctx would be left pointing at the freed context,
make sure it is cleared if we delete the context.
Simo Sorce [Thu, 10 Apr 2014 04:52:39 +0000 (00:52 -0400)]
Fix base64 encoding of tokens
The token was being trunkated as the total length should have been:
replen + 10
Just remove this line, apr_base64_encode() already properly terminate
the buffer.
Simo Sorce [Sat, 12 Apr 2014 22:14:37 +0000 (18:14 -0400)]
Register optional functions
Simo Sorce [Thu, 13 Mar 2014 20:02:03 +0000 (16:02 -0400)]
Implement checking for TLS connections
Obey the GSSSSLOnly setting.
Simo Sorce [Sun, 9 Mar 2014 20:24:34 +0000 (16:24 -0400)]
Allow context to be attached to the connection
This means the authentication is not repeated for every request but
is retained for the life of the connection.
This may be a security issue if a frontend proxy shares connections
between multiple users so must be used with care.
RFC 4559 warns that clients should not try SPNEGO if such a proxy
is present. Unfortuntely the RFC assumes a non-standard method to
determine if a proxy maintain separate connections.
Simo Sorce [Sun, 9 Mar 2014 21:16:12 +0000 (17:16 -0400)]
Fix module name
The module structure name used throughout the code didn't match the
name of the initialized structure, so the one used was always
uninitialized.
Simo Sorce [Sat, 8 Mar 2014 19:23:28 +0000 (14:23 -0500)]
Add option to map GSS Name to local Name
Always preserves the received name in GSS_NAME.
In the kereberos case this will result in the environment variable
called GSS_NAME the user's principal, while REMOTE_USER will contain
the user name as mapped by the kerberos library.
Simo Sorce [Sat, 15 Feb 2014 22:33:31 +0000 (17:33 -0500)]
Use the cred_store extension to save credentials
Simo Sorce [Sat, 15 Feb 2014 22:33:00 +0000 (17:33 -0500)]
Fix warnings
Simo Sorce [Sat, 15 Feb 2014 20:59:06 +0000 (15:59 -0500)]
Add initial configure scripts
Simo Sorce [Thu, 13 Feb 2014 22:52:39 +0000 (17:52 -0500)]
Example apache module conf
Simo Sorce [Tue, 28 Jan 2014 02:26:55 +0000 (21:26 -0500)]
Initial code
Signed-off-by: Simo Sorce <simo@redhat.com>