+++ /dev/null
-#include "apr_strings.h"
-#include "apr_lib.h"
-#include "ap_config.h"
-#include "httpd.h"
-#include "http_config.h"
-#include "http_core.h"
-#include "http_log.h"
-#include "http_protocol.h"
-#include "http_request.h"
-
-module AP_MODULE_DECLARE_DATA kerb_auth_module;
+++ /dev/null
-static const char *kerb_set_fail_slot(cmd_parms *cmd, void *struct_ptr,
- const char *arg)
-{
- int offset = (int) (long) cmd->info;
- if (!strncasecmp(arg, "unauthorized", 12))
- *(int *) ((char *)struct_ptr + offset) = HTTP_UNAUTHORIZED;
- else if (!strncasecmp(arg, "forbidden", 9))
- *(int *) ((char *)struct_ptr + offset) = HTTP_FORBIDDEN;
- else if (!strncasecmp(arg, "declined", 8))
- *(int *) ((char *)struct_ptr + offset) = DECLINED;
- else
- return apr_pstrcat(cmd->pool, "KrbAuthFailStatus must be Forbidden, Unauthorized, or Declined.", NULL);
- return NULL;
-}
-
-static const char *kerb_set_type_slot(cmd_parms *cmd, void *struct_ptr,
- const char *arg)
-{
- int offset = (int) (long) cmd->info;
- if
-#ifdef KRB5
- (!strncasecmp(arg, "v5", 2))
- *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosV5");
- else if
-#endif /* KRB5 */
-#ifdef KRB4
- (!strncasecmp(arg, "v4", 2))
- *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosV4");
-#endif /* KRB4 */
-#if defined(KRB5) && defined(KRB4)
- else if
- (!strncasecmp(arg, "dualv5v4", 8))
- *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosDualV5V4");
- else if
- (!strncasecmp(arg, "dualv4v5", 8))
- *(char **) ((char *)struct_ptr + offset) = apr_pstrdup(cmd->pool, "KerberosDualV4V5");
-#endif /* KRB5 && KRB4 */
- else
- return "AuthKerberos must be V5, V4, DualV4V5, or DualV5V4.";
- return NULL;
-}
-
-static const command_rec kerb_auth_cmds[] = {
- AP_INIT_TAKE1(
- "AuthKerberos",
- kerb_set_type_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_auth_type),
- OR_AUTHCFG,
- "Permit Kerberos auth without AuthType requirement."
- ),
-
-#ifdef KRB4
- AP_INIT_TAKE1(
- "Krb4Srvtab",
- ap_set_file_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_4_srvtab),
- RSRC_CONF & ACCESS_CONF,
- "Location of Kerberos V4 srvtab file."
- ),
-#endif /* KRB4 */
-
-#ifdef KRB5
- AP_INIT_TAKE1(
- "Krb5Keytab",
- ap_set_file_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_5_keytab),
- RSRC_CONF & ACCESS_CONF,
- "Location of Kerberos V5 keytab file."
- ),
-#endif /* KRB5 */
-
- AP_INIT_FLAG(
- "KrbAuthoritative",
- ap_set_flag_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_authoritative),
- OR_AUTHCFG,
- "Refuse to pass request down to lower modules."
- ),
-
- AP_INIT_TAKE1(
- "KrbDefaultRealm",
- ap_set_string_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_default_realm),
- OR_AUTHCFG,
- "Default realm to authenticate users against."
- ),
-
- AP_INIT_TAKE1(
- "KrbFailStatus",
- kerb_set_fail_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_fail_status),
- OR_AUTHCFG,
- "If auth fails, return status set here."
- ),
-
- AP_INIT_TAKE1(
- "KrbForceInstance",
- ap_set_string_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_force_instance),
- OR_AUTHCFG,
- "Force authentication against an instance specified here."
- ),
-
-#ifdef KRB5
- AP_INIT_FLAG(
- "KrbForwardable",
- ap_set_flag_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_forwardable),
- OR_AUTHCFG,
- "Credentials retrieved will be flagged as forwardable."
- ),
-#endif /* KRB5 */
-
- AP_INIT_TAKE1(
- "KrbLifetime",
- ap_set_string_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_lifetime),
- OR_AUTHCFG,
- "Lifetime of tickets retrieved."
- ),
-
-#ifdef KRB5
- AP_INIT_TAKE1(
- "KrbRenewable",
- ap_set_string_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_renewable),
- OR_AUTHCFG,
- "Credentials retrieved will be renewable for this length."
- ),
-#endif /* KRB5 */
-
- AP_INIT_FLAG(
- "KrbSaveCredentials",
- ap_set_flag_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_save_credentials),
- OR_AUTHCFG,
- "Save and store credentials/tickets retrieved during auth."
- ),
-
- AP_INIT_FLAG(
- "KrbSaveTickets",
- ap_set_flag_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_save_credentials),
- OR_AUTHCFG,
- "Alias for KrbSaveCredentials."
- ),
-
- AP_INIT_TAKE1(
- "KrbTmpdir",
- ap_set_string_slot,
- (void*)APR_XtOffsetOf(kerb_auth_config, krb_tmp_dir),
- OR_AUTHCFG,
- "Path to store ticket files and such in."
- ),
-
- { NULL }
-};
+++ /dev/null
-typedef struct {
- char *krb_auth_type;
-#ifdef KRB4
- char *krb_4_srvtab;
-#endif /* KRB4 */
-#ifdef KRB5
- char *krb_5_keytab;
-#endif /* KRB5 */
- int krb_authoritative;
- char *krb_default_realm;
- int krb_fail_status;
- char *krb_force_instance;
-#ifdef KRB5
- int krb_forwardable;
-#endif /* KRB5 */
- char *krb_lifetime;
-#ifdef KRB5
- char *krb_renewable;
-#endif /* KRB5 */
- int krb_save_credentials;
- char *krb_tmp_dir;
-} kerb_auth_config;
+++ /dev/null
-int kerb_authenticate_user(request_rec *r) {
- const char *name; /* AuthName specified */
- const char *type; /* AuthType specified */
- int KerberosV5 = 0; /* Kerberos V5 check enabled */
- int KerberosV4 = 0; /* Kerberos V4 check enabled */
- int KerberosV4first = 0; /* Kerberos V4 check first */
- const char *sent_pw; /* Password sent by browser */
- const char *t; /* Return value holder */
- int res; /* Response holder */
- int retcode; /* Return code holder */
-
- kerb_auth_config *conf =
- (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
- &kerb_auth_module);
-
- const char *auth_line = apr_table_get(r->headers_in,
- (PROXYREQ_PROXY == r->proxyreq)
- ? "Proxy-Authorization"
- : "Authorization");
-
- type = ap_auth_type(r);
-
- if (type != NULL) {
-#ifdef KRB5
- if ((strncasecmp(type, "KerberosV5", 10) == 0) ||
- (strncasecmp(conf->krb_auth_type, "KerberosV5", 10) == 0)) {
- KerberosV5 = 1;
- }
-#endif /* KRB5 */
-
-#ifdef KRB4
- if ((strncasecmp(type, "KerberosV4", 10) == 0) ||
- (strncasecmp(conf->krb_auth_type, "KerberosV4", 10) == 0)) {
- KerberosV4 = 1;
- }
-#endif /* KRB4 */
-
-#if defined(KRB5) && defined(KRB4)
- if ((strncasecmp(type, "KerberosDualV5V4", 15) == 0) ||
- (strncasecmp(conf->krb_auth_type, "KerberosDualV5V4", 15) == 0)) {
- KerberosV5 = 1;
- KerberosV4 = 1;
- }
-
- if ((strncasecmp(type, "KerberosDualV4V5", 15) == 0) ||
- (strncasecmp(conf->krb_auth_type, "KerberosDualV4V5", 15) == 0)) {
- KerberosV5 = 1;
- KerberosV4 = 1;
- KerberosV4first = 1;
- }
-#endif /* KRB5 && KRB4 */
- }
-
- if (!KerberosV4 && !KerberosV5) {
- if (conf->krb_authoritative) {
- return HTTP_UNAUTHORIZED;
- }
- else {
- return DECLINED;
- }
- }
-
- name = ap_auth_name(r);
- if (!name) {
- ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR,
- 0, r, "need AuthName: %s", r->uri);
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- if (!auth_line) {
- apr_table_set(r->err_headers_out, "WWW-Authenticate",
- (char *)apr_pstrcat(r->pool, "Basic realm=\"", name, "\"", NULL));
- return HTTP_UNAUTHORIZED;
- }
-
- type = ap_getword_white(r->pool, &auth_line);
- t = ap_pbase64decode(r->pool, auth_line);
- r->user = ap_getword_nulls(r->pool, &t, ':');
- r->ap_auth_type = "Kerberos";
- sent_pw = ap_getword_white(r->pool, &t);
-
- retcode = DECLINED;
-
-#ifdef KRB5
- if (KerberosV5 && !KerberosV4first && retcode != OK) {
- r->ap_auth_type = "KerberosV5";
- if (kerb5_password_validate(r->user, sent_pw)) {
- retcode = OK;
- }
- else {
- retcode = conf->krb_fail_status;
- }
- }
-#endif /* KRB5 */
-
-#ifdef KRB4
- if (KerberosV4 && retcode != OK) {
- r->ap_auth_type = "KerberosV4";
- if (kerb4_password_validate(r->user, sent_pw)) {
- retcode = OK;
- }
- else {
- retcode = conf->krb_fail_status;
- }
- }
-#endif /* KRB4 */
-
-#if defined(KRB5) && defined(KRB4)
- if (KerberosV5 && KerberosV4first && retcode != OK) {
- r->ap_auth_type = "KerberosV5";
- if (kerb5_password_validate(r->user, sent_pw)) {
- retcode = OK;
- }
- else {
- retcode = conf->krb_fail_status;
- }
- }
-#endif /* KRB5 && KRB4 */
-
- if (conf->krb_authoritative && retcode == DECLINED) {
- return HTTP_UNAUTHORIZED;
- }
- else {
- return retcode;
- }
-}
+++ /dev/null
-static void *kerb_dir_config(apr_pool_t *p, char *d)
-{
- static void *rec;
- rec = (void *) ap_pcalloc(p, sizeof(kerb_auth_config));
- ((kerb_auth_config *)rec)->krb_fail_status = HTTP_UNAUTHORIZED;
- ((kerb_auth_config *)rec)->krb_authoritative = 0;
- ((kerb_auth_config *)rec)->krb_auth_type = apr_pstrdup(p, "None");
- return rec;
-}
+++ /dev/null
-void kerb_register_hooks(apr_pool_t *p)
-{
- ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);
- ap_hook_access_checker(kerb_check_user_access, NULL, NULL, APR_HOOK_MIDDLE);
-}
+++ /dev/null
-module AP_MODULE_DECLARE_DATA kerb_auth_module =
-{
- STANDARD20_MODULE_STUFF,
- kerb_dir_config, /* create per-dir conf structures */
- NULL, /* merge per-dir conf structures */
- NULL, /* create per-server conf structures */
- NULL, /* merge per-server conf structures */
- kerb_auth_cmds, /* table of configuration directives */
- kerb_register_hooks /* register hooks */
-};