#include <netdb.h> /* gethostbyname() */
#endif /* KRB4 */
-#ifndef _WIN32
-/* should be HAVE_UNISTD_H instead */
+#if HAVE_UNISTD_H
#include <unistd.h>
#endif
#endif
} kerb_auth_config;
+typedef struct krb5_conn_data {
+ char *authline;
+ char *user;
+ char *mech;
+ int last_return;
+} krb5_conn_data;
+
static void
set_kerb_auth_headers(request_rec *r, const kerb_auth_config *conf,
int use_krb4, int use_krb5pwd, char *negotiate_ret_value);
#endif
/***************************************************************************
- Macro To Control krb5_aname_to_localname buffer size
- ***************************************************************************/
-#define AN_TO_LN_BUFFSIZE_MAX 1024
-
-/***************************************************************************
Auth Configuration Initialization
***************************************************************************/
static void *kerb_dir_create_config(MK_POOL *p, char *d)
} else
keytab = ap_req_keytab;
+#ifdef HAVE_KRB5_CC_NEW_UNIQUE
+ ret = krb5_cc_new_unique(context, "MEMORY", NULL, &local_ccache);
+#else
ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache);
+#endif
+
if (ret) {
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"krb5_cc_resolve() failed when verifying KDC");
static krb5_error_code
verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
const char *password, krb5_principal server,
- krb5_keytab keytab, int krb_verify_kdc, krb5_ccache *ccache)
+ krb5_keytab keytab, int krb_verify_kdc, char *krb_service_name, krb5_ccache *ccache)
{
krb5_creds creds;
+ krb5_get_init_creds_opt options;
krb5_error_code ret;
krb5_ccache ret_ccache = NULL;
char *name = NULL;
+ krb5_keytab_entry entry;
+ krb5_kt_cursor cursor;
/* XXX error messages shouldn't be logged here (and in the while() loop in
* authenticate_user_krb5pwd() as weell), in order to avoid confusing log
free(name);
}
+ krb5_get_init_creds_opt_init(&options);
ret = krb5_get_init_creds_password(context, &creds, principal,
(char *)password, NULL,
- NULL, 0, NULL, NULL);
+ NULL, 0, NULL, &options);
if (ret) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"krb5_get_init_creds_password() failed: %s",
}
*/
- if (krb_verify_kdc &&
+ /*if (krb_verify_kdc &&
(ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"failed to verify krb5 credentials: %s",
krb5_get_err_text(context, ret));
goto end;
+ }*/
+
+ if (krb_verify_kdc) {
+ if (krb_service_name && strcmp(krb_service_name,"Any") == 0) {
+ ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if(!ret) {
+ while((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
+ if ((ret = verify_krb5_init_creds(r, context, &creds, entry.principal, keytab)) == 0)
+ break;
+ }
+ }
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "failed to verify krb5 credentials: %s",
+ krb5_get_err_text(context, ret));
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+ krb5_kt_close(context, keytab);
+ goto end;
+ }
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+ krb5_kt_close(context, keytab);
+ }
+ else {
+ if ((ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "failed to verify krb5 credentials: %s",
+ krb5_get_err_text(context, ret));
+ goto end;
+ }
+ }
}
+#ifdef HAVE_KRB5_CC_NEW_UNIQUE
+ ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ret_ccache);
+#else
ret = krb5_cc_resolve(context, "MEMORY:", &ret_ccache);
+#endif
+
if (ret) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"generating new memory ccache failed: %s",
char *name = NULL;
int all_principals_unkown;
char *p = NULL;
- char *MK_USER_LNAME=NULL;
code = krb5_init_context(&kcontext);
if (code) {
}
code = verify_krb5_user(r, kcontext, client, sent_pw,
- server, keytab, conf->krb_verify_kdc, &ccache);
+ server, keytab, conf->krb_verify_kdc, conf->krb_service_name, &ccache);
if (!conf->krb_authoritative && code) {
/* if we're not authoritative, we allow authentication to pass on
* to another modules if (and only if) the user is not known to us */
if (conf->krb_save_credentials)
store_krb5_creds(kcontext, r, conf, ccache);
-
- if (conf->krb5_do_auth_to_local) {
- MK_USER_LNAME = malloc(strlen(MK_USER)+1);
- krb5_aname_to_localname(kcontext, client, strlen(MK_USER), MK_USER_LNAME);
- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "kerb_authenticate_a_name_to_local_name %s -> %s",
- (MK_USER)?MK_USER:"(NULL)", (MK_USER_LNAME)?MK_USER_LNAME:"(NULL)");
- MK_USER = MK_USER_LNAME;
- }
+
ret = OK;
end:
have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL;
if (have_server_princ)
strncpy(buf, conf->krb_service_name, sizeof(buf));
+ else if (conf->krb_service_name && strcmp(conf->krb_service_name,"Any") == 0) {
+ *server_creds = GSS_C_NO_CREDENTIAL;
+ return 0;
+ }
else
snprintf(buf, sizeof(buf), "%s@%s",
(conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME,
if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
-
+
gss_release_buffer(&minor_status, &output_token);
ret = OK;
return ret;
}
-#endif /* KRB5 */
static int
-already_succeeded(request_rec *r)
+do_krb5_an_to_ln(request_rec *r) {
+ krb5_error_code code;
+ int ret = HTTP_INTERNAL_SERVER_ERROR;
+ char *MK_USER_LNAME = NULL;
+ krb5_context kcontext = NULL;
+ krb5_principal client = NULL;
+
+ code = krb5_init_context(&kcontext);
+ if (code) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Cannot initialize Kerberos5 context (%d)", code);
+ goto end;
+ }
+
+ code = krb5_parse_name(kcontext, MK_USER, &client);
+ if (code) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "krb5_parse_name() failed: %s",
+ krb5_get_err_text(kcontext, code));
+ goto end;
+ }
+ MK_USER_LNAME = apr_pcalloc(r->pool, strlen(MK_USER)+1);
+ if (MK_USER_LNAME == NULL) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "ap_pcalloc() failed (not enough memory)");
+ goto end;
+ }
+ code = krb5_aname_to_localname(kcontext, client, strlen(MK_USER), MK_USER_LNAME);
+ if (code) {
+ if (code != KRB5_LNAME_NOTRANS) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "krb5_aname_to_localname() failed: %s",
+ krb5_get_err_text(kcontext, code));
+
+ }
+ else {
+ log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
+ "krb5_aname_to_localname() found no "
+ "mapping for principal %s",
+ MK_USER);
+ }
+ }
+ else {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "kerb_authenticate_a_name_to_local_name %s -> %s",
+ (MK_USER)?MK_USER:"(NULL)", (MK_USER_LNAME)?MK_USER_LNAME:"(NULL)");
+ MK_USER = apr_pstrdup(r->pool, MK_USER_LNAME);
+ ret = OK;
+ }
+ end:
+ if (client)
+ krb5_free_principal(kcontext, client);
+ if (kcontext)
+ krb5_free_context(kcontext);
+ return ret;
+}
+
+
+#endif /* KRB5 */
+
+static krb5_conn_data *
+already_succeeded(request_rec *r, char *auth_line)
{
- if (ap_is_initial_req(r) || MK_AUTH_TYPE == NULL)
- return 0;
- if (strcmp(MK_AUTH_TYPE, MECH_NEGOTIATE) ||
- (strcmp(MK_AUTH_TYPE, "Basic") && strchr(MK_USER, '@')))
- return 1;
- return 0;
+ krb5_conn_data *conn_data;
+ const char keyname[1024];
+
+ snprintf(keyname, sizeof(keyname) - 1,
+ "mod_auth_kerb::connection::%s::%ld", r->connection->remote_ip,
+ r->connection->id);
+
+ if (apr_pool_userdata_get(&conn_data, keyname, r->connection->pool) != 0)
+ return NULL;
+
+ if(conn_data) {
+ if(strcmp(conn_data->authline, auth_line) == 0) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request");
+ return conn_data;
+ }
+ }
+ return NULL;
}
static void
kerb_auth_config *conf =
(kerb_auth_config *) ap_get_module_config(r->per_dir_config,
&auth_kerb_module);
+ krb5_conn_data *prevauth = NULL;
const char *auth_type = NULL;
const char *auth_line = NULL;
const char *type = NULL;
int ret;
static int last_return = HTTP_UNAUTHORIZED;
char *negotiate_ret_value = NULL;
+ char keyname[1024];
/* get the type specified in .htaccess */
type = ap_auth_type(r);
(strcasecmp(auth_type, "Basic") == 0))
return DECLINED;
- if (already_succeeded(r))
- return last_return;
-
- ret = HTTP_UNAUTHORIZED;
+ if ( (prevauth = already_succeeded(r, auth_line)) == NULL) {
+ ret = HTTP_UNAUTHORIZED;
#ifdef KRB5
if (use_krb5 && conf->krb_method_gssapi &&
if (ret == HTTP_UNAUTHORIZED)
set_kerb_auth_headers(r, conf, use_krb4, use_krb5, negotiate_ret_value);
+ } else {
+ ret = prevauth->last_return;
+ MK_USER = prevauth->user;
+ MK_AUTH_TYPE = prevauth->mech;
+ }
+
+ /*
+ * save who was auth'd, if it's not already stashed.
+ */
+ if(!prevauth) {
+ prevauth = (krb5_conn_data *) apr_pcalloc(r->connection->pool, sizeof(krb5_conn_data));
+ prevauth->user = apr_pstrdup(r->connection->pool, MK_USER);
+ prevauth->authline = apr_pstrdup(r->connection->pool, auth_line);
+ prevauth->mech = apr_pstrdup(r->connection->pool, auth_type);
+ prevauth->last_return = ret;
+ snprintf(keyname, sizeof(keyname) - 1,
+ "mod_auth_kerb::connection::%s::%ld",
+ r->connection->remote_ip, r->connection->id);
+ apr_pool_userdata_set(prevauth, keyname, NULL, r->connection->pool);
+ }
+
+ if (ret == OK && conf->krb5_do_auth_to_local)
+ ret = do_krb5_an_to_ln(r);
+
/* XXX log_debug: if ret==OK, log(user XY authenticated) */
last_return = ret;