#include <netdb.h> /* gethostbyname() */
#endif /* KRB4 */
-#ifndef _WIN32
-/* should be HAVE_UNISTD_H instead */
+#if HAVE_UNISTD_H
#include <unistd.h>
#endif
const char *auth_line)
{
int ret;
- const char *sent_pw;
+ char *sent_pw;
const char *sent_name;
char *sent_instance;
char tkt_file[32];
static krb5_error_code
verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
const char *password, krb5_principal server,
- krb5_keytab keytab, int krb_verify_kdc, krb5_ccache *ccache)
+ krb5_keytab keytab, int krb_verify_kdc, char *krb_service_name, krb5_ccache *ccache)
{
krb5_creds creds;
+ krb5_get_init_creds_opt options;
krb5_error_code ret;
krb5_ccache ret_ccache = NULL;
char *name = NULL;
+ krb5_keytab_entry entry;
+ krb5_kt_cursor cursor;
/* XXX error messages shouldn't be logged here (and in the while() loop in
* authenticate_user_krb5pwd() as weell), in order to avoid confusing log
free(name);
}
+ krb5_get_init_creds_opt_init(&options);
ret = krb5_get_init_creds_password(context, &creds, principal,
(char *)password, NULL,
- NULL, 0, NULL, NULL);
+ NULL, 0, NULL, &options);
if (ret) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"krb5_get_init_creds_password() failed: %s",
}
*/
- if (krb_verify_kdc &&
+ /*if (krb_verify_kdc &&
(ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"failed to verify krb5 credentials: %s",
krb5_get_err_text(context, ret));
goto end;
+ }*/
+
+ if (krb_verify_kdc) {
+ if (krb_service_name && strcmp(krb_service_name,"Any") == 0) {
+ ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if(!ret) {
+ while((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
+ if ((ret = verify_krb5_init_creds(r, context, &creds, entry.principal, keytab)) == 0)
+ break;
+ }
+ }
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "failed to verify krb5 credentials: %s",
+ krb5_get_err_text(context, ret));
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+ krb5_kt_close(context, keytab);
+ goto end;
+ }
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+ krb5_kt_close(context, keytab);
+ }
+ else {
+ if ((ret = verify_krb5_init_creds(r, context, &creds, server, keytab))) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "failed to verify krb5 credentials: %s",
+ krb5_get_err_text(context, ret));
+ goto end;
+ }
+ }
}
#ifdef HAVE_KRB5_CC_NEW_UNIQUE
int all_principals_unkown;
char *p = NULL;
- //temporary fix for KrbServiceName Any, use default SERVICE_NAME
- if (conf->krb_service_name && strcmp(conf->krb_service_name,"Any") == 0)
- snprintf(conf->krb_service_name, 5,"%s",SERVICE_NAME);
-
code = krb5_init_context(&kcontext);
if (code) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
}
code = verify_krb5_user(r, kcontext, client, sent_pw,
- server, keytab, conf->krb_verify_kdc, &ccache);
+ server, keytab, conf->krb_verify_kdc, conf->krb_service_name, &ccache);
if (!conf->krb_authoritative && code) {
/* if we're not authoritative, we allow authentication to pass on
* to another modules if (and only if) the user is not known to us */
token.length = strlen(buf) + 1;
major_status = gss_import_name(&minor_status, &token,
- (have_server_princ) ? GSS_KRB5_NT_PRINCIPAL_NAME : GSS_C_NT_HOSTBASED_SERVICE,
+ (have_server_princ) ? (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME : (gss_OID) GSS_C_NT_HOSTBASED_SERVICE,
&server_name);
memset(&token, 0, sizeof(token));
if (GSS_ERROR(major_status)) {
gss_accept_sec_context_spnego : gss_accept_sec_context;
#endif
- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data using %s",
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data using KRB5 GSS-API %s",
(accept_sec_token == gss_accept_sec_context)
- ? "KRB5 GSS-API"
- : "SPNEGO GSS-API");
+ ? ""
+ : "with our SPNEGO lib");
major_status = accept_sec_token(&minor_status,
&context,
&delegated_cred);
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"Client %s us their credential",
- (ret_flags & GSS_C_DELEG_FLAG) ? "sent" : "didn't send");
+ (ret_flags & GSS_C_DELEG_FLAG) ? "delegated" : "didn't delegate");
if (output_token.length) {
char *token = NULL;
size_t len;
already_succeeded(request_rec *r, char *auth_line)
{
krb5_conn_data *conn_data;
- const char keyname[1024];
+ char keyname[1024];
snprintf(keyname, sizeof(keyname) - 1,
"mod_auth_kerb::connection::%s::%ld", r->connection->remote_ip,
r->connection->id);
- if (apr_pool_userdata_get(&conn_data, keyname, r->connection->pool) != 0)
+ if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0)
return NULL;
if(conn_data) {
&auth_kerb_module);
krb5_conn_data *prevauth = NULL;
const char *auth_type = NULL;
- const char *auth_line = NULL;
+ char *auth_line = NULL;
const char *type = NULL;
int use_krb5 = 0, use_krb4 = 0;
int ret;
#endif
/* get what the user sent us in the HTTP header */
- auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY)
+ auth_line = (char *)MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY)
? "Proxy-Authorization"
: "Authorization");
if (!auth_line) {
(use_krb5) ? "\0" : NULL);
return HTTP_UNAUTHORIZED;
}
- auth_type = ap_getword_white(r->pool, &auth_line);
+ auth_type = ap_getword_white(r->pool, (const char **)&auth_line);
/* If we are delegating Basic to other modules, DECLINE the request */
if (conf->krb_delegate_basic &&