*/
/*
- * Copyright (c) 2004 Masarykova universita
+ * Copyright (c) 2004-2005 Masarykova universita
* (Masaryk University, Brno, Czech Republic)
* All rights reserved.
*
int use_krb4, int use_krb5pwd, char *negotiate_ret_value);
static const char*
-krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg);
+krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, const char *arg);
#ifdef STANDARD20_MODULE_STUFF
#define command(name, func, var, type, usage) \
- AP_INIT_ ## type (name, func, \
+ AP_INIT_ ## type (name, (void*) func, \
(void*)APR_XtOffsetOf(kerb_auth_config, var), \
OR_AUTHCFG | RSRC_CONF, usage)
#else
}
static const char*
-krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, char *arg)
+krb5_save_realms(cmd_parms *cmd, kerb_auth_config *sec, const char *arg)
{
sec->krb_auth_realms= ap_pstrdup(cmd->pool, arg);
return NULL;
* we had to use this call instead, which is only a bit modified version of
* krb5_verify_init_creds() */
static krb5_error_code
-verify_krb5_init_creds(krb5_context context, krb5_creds *creds,
+verify_krb5_init_creds(request_rec *r, krb5_context context, krb5_creds *creds,
krb5_principal ap_req_server, krb5_keytab ap_req_keytab)
{
krb5_error_code ret;
krb5_creds *new_creds = NULL;
krb5_auth_context auth_context = NULL;
krb5_keytab keytab = NULL;
+ char *server_name;
memset(&req, 0, sizeof(req));
keytab = ap_req_keytab;
ret = krb5_cc_resolve(context, "MEMORY:", &local_ccache);
- if (ret)
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_cc_resolve() failed when verifying KDC");
return ret;
+ }
ret = krb5_cc_initialize(context, local_ccache, creds->client);
- if (ret)
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_cc_initialize() failed when verifying KDC");
goto end;
+ }
ret = krb5_cc_store_cred (context, local_ccache, creds);
- if (ret)
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_cc_initialize() failed when verifying KDC");
goto end;
+ }
+
+ ret = krb5_unparse_name(context, ap_req_server, &server_name);
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_unparse_name() failed when verifying KDC");
+ goto end;
+ }
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "Trying to verify authenticity of KDC using principal %s", server_name);
+ free(server_name);
if (!krb5_principal_compare (context, ap_req_server, creds->server)) {
krb5_creds match_cred;
ret = krb5_get_credentials (context, 0, local_ccache,
&match_cred, &new_creds);
- if (ret)
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_get_credentials() failed when verifying KDC");
goto end;
+ }
creds = new_creds;
}
ret = krb5_mk_req_extended (context, &auth_context, 0, NULL, creds, &req);
- if (ret)
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_mk_req_extended() failed when verifying KDC");
goto end;
+ }
krb5_auth_con_free (context, auth_context);
auth_context = NULL;
ret = krb5_auth_con_init(context, &auth_context);
- if (ret)
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_auth_con_init() failed when verifying KDC");
goto end;
+ }
/* use KRB5_AUTH_CONTEXT_DO_SEQUENCE to skip replay cache checks */
krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE);
ret = krb5_rd_req (context, &auth_context, &req, ap_req_server,
keytab, 0, NULL);
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "krb5_rd_req() failed when verifying KDC");
+ goto end;
+ }
end:
#ifdef HEIMDAL
krb5_principal server = NULL;
krb5_error_code ret;
krb5_ccache ret_ccache = NULL;
+ char *name = NULL;
/* XXX error messages shouldn't be logged here (and in the while() loop in
* authenticate_user_krb5pwd() as weell), in order to avoid confusing log
memset(&creds, 0, sizeof(creds));
+ ret = krb5_unparse_name(context, principal, &name);
+ if (ret == 0) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "Trying to get TGT for user %s", name);
+ free(name);
+ }
+
ret = krb5_get_init_creds_password(context, &creds, principal,
(char *)password, NULL,
NULL, 0, NULL, NULL);
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"krb5_get_init_creds_password() failed: %s",
krb5_get_err_text(context, ret));
- return ret;
+ goto end;
}
ret = krb5_sname_to_principal(context, ap_get_server_name(r), service,
*/
if (krb_verify_kdc &&
- (ret = verify_krb5_init_creds(context, &creds, server, keytab))) {
+ (ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"failed to verify krb5 credentials: %s",
krb5_get_err_text(context, ret));
int ret;
char *name = NULL;
int all_principals_unkown;
+ char *p = NULL;
code = krb5_init_context(&kcontext);
if (code) {
sent_pw = ap_pbase64decode(r->pool, auth_line);
sent_name = ap_getword (r->pool, &sent_pw, ':');
- /* do not allow user to override realm setting of server */
- if (strchr(sent_name, '@')) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "specifying realm in user name is prohibited");
- ret = HTTP_UNAUTHORIZED;
- goto end;
- }
if (sent_pw == NULL || *sent_pw == '\0') {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
if (conf->krb_5_keytab)
krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab);
+ p = strchr(sent_name, '@');
+ if (p) {
+ *p++ = '\0';
+ if (conf->krb_auth_realms && !ap_find_token(r->pool, conf->krb_auth_realms, p)) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Specified realm `%s' not allowed by configuration", p);
+ ret = HTTP_UNAUTHORIZED;
+ goto end;
+ }
+ }
+
+ realms = (p) ? p : conf->krb_auth_realms;
all_principals_unkown = 1;
- realms = conf->krb_auth_realms;
do {
- name = sent_name;
+ name = (char *) sent_name;
if (realms && (realm = ap_getword_white(r->pool, &realms)))
name = ap_psprintf(r->pool, "%s@%s", sent_name, realm);
}
sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab);
putenv(ktname);
+#ifdef HEIMDAL
+ /* Seems to be also supported by latest MIT */
+ gsskrb5_register_acceptor_identity(conf->krb_5_keytab);
+#endif
}
ret = get_gss_creds(r, conf, &server_creds);
projects / mod_auth_kerb.cvs / .git / blobdiff