*/
/*
- * Copyright (c) 2004 Masarykova universita
+ * Copyright (c) 2004-2005 Masarykova universita
* (Masaryk University, Brno, Czech Republic)
* All rights reserved.
*
int use_krb4, int use_krb5pwd, char *negotiate_ret_value);
static const char*
-krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg);
+krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, const char *arg);
#ifdef STANDARD20_MODULE_STUFF
#define command(name, func, var, type, usage) \
- AP_INIT_ ## type (name, func, \
+ AP_INIT_ ## type (name, (void*) func, \
(void*)APR_XtOffsetOf(kerb_auth_config, var), \
OR_AUTHCFG | RSRC_CONF, usage)
#else
}
static const char*
-krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg)
+krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, const char *arg)
{
sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg);
return NULL;
goto end;
}
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "Using principal %s to verify authenticity of KDC", server_name);
+ "Trying to verify authenticity of KDC using principal %s", server_name);
free(server_name);
if (!krb5_principal_compare (context, ap_req_server, creds->server)) {
int ret;
char *name = NULL;
int all_principals_unkown;
+ char *p = NULL;
code = krb5_init_context(&kcontext);
if (code) {
sent_pw = ap_pbase64decode(r->pool, auth_line);
sent_name = ap_getword (r->pool, &sent_pw, ':');
- /* do not allow user to override realm setting of server */
- if (strchr(sent_name, '@')) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "specifying realm in user name is prohibited");
- ret = HTTP_UNAUTHORIZED;
- goto end;
- }
if (sent_pw == NULL || *sent_pw == '\0') {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
if (conf->krb_5_keytab)
krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab);
+ p = strchr(sent_name, '@');
+ if (p) {
+ *p++ = '\0';
+ if (conf->krb_auth_realms && !ap_find_token(r->pool, conf->krb_auth_realms, p)) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Specified realm `%s' not allowed by configuration", p);
+ ret = HTTP_UNAUTHORIZED;
+ goto end;
+ }
+ }
+
+ realms = (p) ? p : conf->krb_auth_realms;
all_principals_unkown = 1;
- realms = conf->krb_auth_realms;
do {
- name = sent_name;
+ name = (char *) sent_name;
if (realms && (realm = ap_getword_white(r->pool, &realms)))
name = ap_psprintf(r->pool, "%s@%s", sent_name, realm);
}
sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab);
putenv(ktname);
+#ifdef HEIMDAL
+ /* Seems to be also supported by latest MIT */
+ gsskrb5_register_acceptor_identity(conf->krb_5_keytab);
+#endif
}
ret = get_gss_creds(r, conf, &server_creds);