+2003-06-02 Daniel Henninger <jadestorm@users.sourceforge.net>
+
+ * src/mod_auth_kerb.c:
+ Added save_credentials support.
+ Hushed up an warnings at compile time.
+ Added krb4 instance/realm specification support.
+ Added force_instance support.
+ Fixed Kerberos options support.
+ Added tmpdir support.
+ Added lifetime support.
+
+ * TODO:
+ Removed work already completed.
+
+2003-06-01 Daniel Henninger <jadestorm@users.sourceforge.net>
+
+ * INSTALL:
+ Replaced with standard autoconf INSTALL file.
+
+ * NEWS:
+ Added alpha2 comment.
+
+ * configure.in:
+ Changed AC_INIT to provide more information.
+
2003-05-29 Daniel Henninger <jadestorm@users.sourceforge.net>
* src/mod_auth_kerb.c:
Combined current work back into a single file.
+ * apache1/*:
+ * apache2/*:
+ * krb4/*:
+ * krb5/*:
+ Removed since they are replaced by src/mod_auth_kerb.c.
+
2002-09-06 Daniel Henninger <daniel@ncsu.edu>
* apache1/auth_cmds.c:
-This will eventually have installation instructions in it. =)
+Basic Installation
+==================
+
+ These are generic installation instructions.
+
+ The `configure' shell script attempts to guess correct values for
+various system-dependent variables used during compilation. It uses
+those values to create a `Makefile' in each directory of the package.
+It may also create one or more `.h' files containing system-dependent
+definitions. Finally, it creates a shell script `config.status' that
+you can run in the future to recreate the current configuration, a file
+`config.cache' that saves the results of its tests to speed up
+reconfiguring, and a file `config.log' containing compiler output
+(useful mainly for debugging `configure').
+
+ If you need to do unusual things to compile the package, please try
+to figure out how `configure' could check whether to do them, and mail
+diffs or instructions to the address given in the `README' so they can
+be considered for the next release. If at some point `config.cache'
+contains results you don't want to keep, you may remove or edit it.
+
+ The file `configure.in' is used to create `configure' by a program
+called `autoconf'. You only need `configure.in' if you want to change
+it or regenerate `configure' using a newer version of `autoconf'.
+
+The simplest way to compile this package is:
+
+ 1. `cd' to the directory containing the package's source code and type
+ `./configure' to configure the package for your system. If you're
+ using `csh' on an old version of System V, you might need to type
+ `sh ./configure' instead to prevent `csh' from trying to execute
+ `configure' itself.
+
+ Running `configure' takes awhile. While running, it prints some
+ messages telling which features it is checking for.
+
+ 2. Type `make' to compile the package.
+
+ 3. Optionally, type `make check' to run any self-tests that come with
+ the package.
+
+ 4. Type `make install' to install the programs and any data files and
+ documentation.
+
+ 5. You can remove the program binaries and object files from the
+ source code directory by typing `make clean'. To also remove the
+ files that `configure' created (so you can compile the package for
+ a different kind of computer), type `make distclean'. There is
+ also a `make maintainer-clean' target, but that is intended mainly
+ for the package's developers. If you use it, you may have to get
+ all sorts of other programs in order to regenerate files that came
+ with the distribution.
+
+Compilers and Options
+=====================
+
+ Some systems require unusual options for compilation or linking that
+the `configure' script does not know about. You can give `configure'
+initial values for variables by setting them in the environment. Using
+a Bourne-compatible shell, you can do that on the command line like
+this:
+ CC=c89 CFLAGS=-O2 LIBS=-lposix ./configure
+
+Or on systems that have the `env' program, you can do it like this:
+ env CPPFLAGS=-I/usr/local/include LDFLAGS=-s ./configure
+
+Compiling For Multiple Architectures
+====================================
+
+ You can compile the package for more than one kind of computer at the
+same time, by placing the object files for each architecture in their
+own directory. To do this, you must use a version of `make' that
+supports the `VPATH' variable, such as GNU `make'. `cd' to the
+directory where you want the object files and executables to go and run
+the `configure' script. `configure' automatically checks for the
+source code in the directory that `configure' is in and in `..'.
+
+ If you have to use a `make' that does not supports the `VPATH'
+variable, you have to compile the package for one architecture at a time
+in the source code directory. After you have installed the package for
+one architecture, use `make distclean' before reconfiguring for another
+architecture.
+
+Installation Names
+==================
+
+ By default, `make install' will install the package's files in
+`/usr/local/bin', `/usr/local/man', etc. You can specify an
+installation prefix other than `/usr/local' by giving `configure' the
+option `--prefix=PATH'.
+
+ You can specify separate installation prefixes for
+architecture-specific files and architecture-independent files. If you
+give `configure' the option `--exec-prefix=PATH', the package will use
+PATH as the prefix for installing programs and libraries.
+Documentation and other data files will still use the regular prefix.
+
+ In addition, if you use an unusual directory layout you can give
+options like `--bindir=PATH' to specify different values for particular
+kinds of files. Run `configure --help' for a list of the directories
+you can set and what kinds of files go in them.
+
+ If the package supports it, you can cause programs to be installed
+with an extra prefix or suffix on their names by giving `configure' the
+option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
+
+Optional Features
+=================
+
+ Some packages pay attention to `--enable-FEATURE' options to
+`configure', where FEATURE indicates an optional part of the package.
+They may also pay attention to `--with-PACKAGE' options, where PACKAGE
+is something like `gnu-as' or `x' (for the X Window System). The
+`README' should mention any `--enable-' and `--with-' options that the
+package recognizes.
+
+ For packages that use the X Window System, `configure' can usually
+find the X include and library files automatically, but if it doesn't,
+you can use the `configure' options `--x-includes=DIR' and
+`--x-libraries=DIR' to specify their locations.
+
+Specifying the System Type
+==========================
+
+ There may be some features `configure' can not figure out
+automatically, but needs to determine by the type of host the package
+will run on. Usually `configure' can figure that out, but if it prints
+a message saying it can not guess the host type, give it the
+`--host=TYPE' option. TYPE can either be a short name for the system
+type, such as `sun4', or a canonical name with three fields:
+ CPU-COMPANY-SYSTEM
+
+See the file `config.sub' for the possible values of each field. If
+`config.sub' isn't included in this package, then this package doesn't
+need to know the host type.
+
+ If you are building compiler tools for cross-compiling, you can also
+use the `--target=TYPE' option to select the type of system they will
+produce code for and the `--build=TYPE' option to select the type of
+system on which you are compiling the package.
+
+Sharing Defaults
+================
+
+ If you want to set default values for `configure' scripts to share,
+you can create a site shell script called `config.site' that gives
+default values for variables like `CC', `cache_file', and `prefix'.
+`configure' looks for `PREFIX/share/config.site' if it exists, then
+`PREFIX/etc/config.site' if it exists. Or, you can set the
+`CONFIG_SITE' environment variable to the location of the site script.
+A warning: not all `configure' scripts look for a site script.
+
+Operation Controls
+==================
+
+ `configure' recognizes the following options to control how it
+operates.
+
+`--cache-file=FILE'
+ Use and save the results of the tests in FILE instead of
+ `./config.cache'. Set FILE to `/dev/null' to disable caching, for
+ debugging `configure'.
+
+`--help'
+ Print a summary of the options to `configure', and exit.
+
+`--quiet'
+`--silent'
+`-q'
+ Do not print messages saying which checks are being made. To
+ suppress all normal output, redirect it to `/dev/null' (any error
+ messages will still be shown).
+
+`--srcdir=DIR'
+ Look for the package's source code in directory DIR. Usually
+ `configure' can determine that directory automatically.
+
+`--version'
+ Print the version of Autoconf used to generate the `configure'
+ script, and exit.
+
+`configure' also accepts some other, not widely useful, options.
+5.0 alpha2:
+
+* Returned to single file layout as new layout was harder to follow.
+
5.0 alpha1:
* New layout set up and configure script added.
-* Save Creds/Tickets
- Retrieve and store krbtgt and set env variable of file path.
-
- Cleanup Daemon
Maybe write some little cleanup daemon to clean up ticket files.
-* Set Path for Storage of Temp Files
- Storage of ticket files, and maybe others at some point.
-
- Verify Krb5 Ticket
Currently www/hostname.
Can I do this with Krb4?
* Settable Location of Keytab/Srvtab
Again, in config instead of compiled in.
-* Lifetime Settable
- Set lifetime of tickets in config.
-
-* Default Instance
- You can make it so that 'by default', a user's daniel/root or
- daniel/www instance is auth'd against instead of just daniel.
-
- Require Instance
We'll allow for a 'require instance ......'.
-- Any Instance
- Allow for specification of daniel/root or daniel/admin.
- If off, only checks against defaultinstance instance.
- require user daniel/root daniel daniel/admin
-
- Expire Reauth
Set a lifetime on tickets, and after expiration, tries to -force-
a reauth (brings up login/password window)
-* Forwardable/Renewable Tickets
- Setting in config.
-
- Browser Mutual Auth Support
Combined with plugins, use auth user already has.
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.53.
+# Generated by GNU Autoconf 2.53 for Apache Kerberos Module alpha2.
+#
+# Report bugs to <modauthkerb-developers@lists.sourceforge.net>.
#
# Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, 2002
# Free Software Foundation, Inc.
: ${ac_max_here_lines=38}
# Identity of this package.
-PACKAGE_NAME=
-PACKAGE_TARNAME=
-PACKAGE_VERSION=
-PACKAGE_STRING=
-PACKAGE_BUGREPORT=
+PACKAGE_NAME='Apache Kerberos Module'
+PACKAGE_TARNAME='mod_auth_kerb'
+PACKAGE_VERSION='alpha2'
+PACKAGE_STRING='Apache Kerberos Module alpha2'
+PACKAGE_BUGREPORT='modauthkerb-developers@lists.sourceforge.net'
-ac_unique_file="README"
# Factoring default headers for most tests.
ac_includes_default="\
#include <stdio.h>
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures this package to adapt to many kinds of systems.
+\`configure' configures Apache Kerberos Module alpha2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
fi
if test -n "$ac_init_help"; then
-
+ case $ac_init_help in
+ short | recursive ) echo "Configuration of Apache Kerberos Module alpha2:";;
+ esac
cat <<\_ACEOF
Optional Features:
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
+Report bugs to <modauthkerb-developers@lists.sourceforge.net>.
_ACEOF
fi
test -n "$ac_init_help" && exit 0
if $ac_init_version; then
cat <<\_ACEOF
+Apache Kerberos Module configure alpha2
+generated by GNU Autoconf 2.53
Copyright 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, 2002
Free Software Foundation, Inc.
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by $as_me, which was
+It was created by Apache Kerberos Module $as_me alpha2, which was
generated by GNU Autoconf 2.53. Invocation command line was
$ $0 $@
+
+
+
+
+
+
+
+
# Check whether --with-api or --without-api was given.
if test "${with_api+set}" = set; then
withval="$with_api"
} >&5
cat >&5 <<_CSEOF
-This file was extended by $as_me, which was
+This file was extended by Apache Kerberos Module $as_me alpha2, which was
generated by GNU Autoconf 2.53. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-config.status
+Apache Kerberos Module config.status alpha2
configured by $0, generated by GNU Autoconf 2.53,
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
} >&5
cat >&5 <<_CSEOF
-This file was extended by $as_me, which was
+This file was extended by Apache Kerberos Module $as_me alpha2, which was
generated by GNU Autoconf 2.53. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-config.status
+Apache Kerberos Module config.status alpha2
configured by $0, generated by GNU Autoconf 2.53,
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
dnl ####################
dnl ## Initialization ##
dnl ####################
-AC_INIT(README)
+AC_INIT(Apache Kerberos Module,
+ alpha2,
+ modauthkerb-developers@lists.sourceforge.net,
+ mod_auth_kerb)
dnl ####################
#define MK_TABLE_TYPE table
#define MK_PSTRDUP ap_pstrdup
#define MK_PROXY STD_PROXY
-#define MK_RERROR_LEVEL ""
#define MK_USER r->connection->user
#define MK_AUTH_TYPE r->connection->ap_auth_type
#define MK_ARRAY_HEADER array_header
#define MK_TABLE_TYPE apr_table_t
#define MK_PSTRDUP apr_pstrdup
#define MK_PROXY PROXYREQ_PROXY
-#define MK_RERROR_LEVEL "0, "
#define MK_USER r->user
#define MK_AUTH_TYPE r->ap_auth_type
#define MK_ARRAY_HEADER apr_array_header_t
"KrbTmpdir",
ap_set_string_slot,
(void*)XtOffsetOf(kerb_auth_config, krb_tmp_dir),
- OR_AUTHCFG,
+ RSRC_CONF & ACCESS_CONF,
TAKE1,
"Path to store ticket files and such in."
},
"KrbTmpdir",
ap_set_string_slot,
(void*)APR_XtOffsetOf(kerb_auth_config, krb_tmp_dir),
- OR_AUTHCFG,
+ RSRC_CONF & ACCESS_CONF,
"Path to store ticket files and such in."
),
Username/Password Validation
***************************************************************************/
#ifdef KRB5
-int kerb5_password_validate(const char *user, const char *pass) {
+int kerb5_password_validate(request_rec *r, const char *user, const char *pass)
+{
+ kerb_auth_config *conf =
+ (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
+ &kerb_auth_module);
int ret;
krb5_context kcontext;
krb5_principal server, me;
krb5_creds my_creds;
krb5_timestamp now;
- krb5_deltat lifetime = 0;
+ krb5_ccache ccache = NULL;
+ krb5_deltat lifetime = 300; /* 5 minutes */
+ krb5_deltat renewal = 0;
+ krb5_flags options = 0;
krb5_data tgtname = {
0,
KRB5_TGS_NAME_SIZE,
KRB5_TGS_NAME
};
+ char *c, ccname[MAX_STRING_LEN];
if (krb5_init_context(&kcontext))
return 0;
+ if (conf->krb_save_credentials) {
+ lifetime = 1800; /* 30 minutes */
+
+ if (conf->krb_forwardable) {
+ options |= KDC_OPT_FORWARDABLE;
+ }
+
+ if (conf->krb_renewable) {
+ options |= KDC_OPT_RENEWABLE;
+ renewal = 86400; /* 24 hours */
+ }
+
+ sprintf(ccname, "FILE:%s/k5cc_ap_%s",
+ conf->krb_tmp_dir ? conf->krb_tmp_dir : "/tmp",
+ MK_USER);
+
+ for (c = ccname + strlen(conf->krb_tmp_dir ? conf->krb_tmp_dir :
+ "/tmp") + 1; *c; c++) {
+ if (*c == '/')
+ *c = '.';
+ }
+
+ ap_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
+ if (krb5_cc_set_default_name(kcontext, ccname)) {
+ return 0;
+ }
+ unlink(ccname+strlen("FILE:"));
+ }
+
+ if (conf->krb_lifetime) {
+ lifetime = atoi(conf->krb_lifetime);
+ }
+
memset((char *)&my_creds, 0, sizeof(my_creds));
if(krb5_parse_name(kcontext, user, &me))
return 0;
return 0;
my_creds.times.starttime = 0;
my_creds.times.endtime = now + lifetime;
- my_creds.times.renew_till = 0;
+ my_creds.times.renew_till = now + renewal;
- ret = krb5_get_in_tkt_with_password(kcontext, 0, 0, NULL, 0,
- pass, NULL, &my_creds, 0);
+ if (conf->krb_save_credentials) {
+ if (krb5_cc_resolve(kcontext, ccname, &ccache))
+ return 0;
+
+ if (krb5_cc_initialize(kcontext, ccache, me))
+ return 0;
+ }
+
+ ret = krb5_get_in_tkt_with_password(kcontext, options, 0, NULL, 0,
+ pass, ccache, &my_creds, 0);
if (ret) {
return 0;
}
#endif /* KRB5 */
#ifdef KRB4
-int kerb4_password_validate(const char *user, const char *pass) {
+int kerb4_password_validate(request_rec *r, const char *user, const char *pass)
+{
+ kerb_auth_config *conf =
+ (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
+ &kerb_auth_module);
int ret;
- char realm[REALM_SZ];
-
- ret = krb_get_lrealm(realm, 1);
- if (ret != KSUCCESS)
+ int lifetime = DEFAULT_TKT_LIFE;
+ char *c, *tfname;
+ char *username = NULL;
+ char *instance = NULL;
+ char *realm = NULL;
+
+ username = (char *)ap_pstrdup(r->pool, user);
+ if (!username) {
return 0;
+ }
+
+ instance = strchr(username, '.');
+ if (instance) {
+ *instance++ = '\0';
+ }
+ else {
+ instance = "";
+ }
+
+ realm = strchr(username, '@');
+ if (realm) {
+ *realm++ = '\0';
+ }
+ else {
+ realm = "";
+ }
+
+ if (conf->krb_lifetime) {
+ lifetime = atoi(conf->krb_lifetime);
+ }
+
+ if (conf->krb_force_instance) {
+ instance = conf->krb_force_instance;
+ }
- ret = krb_get_pw_in_tkt((char *)user, "", realm, "krbtgt", realm,
- DEFAULT_TKT_LIFE, (char *)pass);
+ if (conf->krb_save_credentials) {
+ tfname = (char *)malloc(sizeof(char) * MAX_STRING_LEN);
+ sprintf(tfname, "%s/k5cc_ap_%s",
+ conf->krb_tmp_dir ? conf->krb_tmp_dir : "/tmp",
+ MK_USER);
+
+ if (!strcmp(instance, "")) {
+ tfname = strcat(tfname, ".");
+ tfname = strcat(tfname, instance);
+ }
+
+ if (!strcmp(realm, "")) {
+ tfname = strcat(tfname, ".");
+ tfname = strcat(tfname, realm);
+ }
+
+ for (c = tfname + strlen(conf->krb_tmp_dir ? conf->krb_tmp_dir :
+ "/tmp") + 1; *c; c++) {
+ if (*c == '/')
+ *c = '.';
+ }
+
+ krb_set_tkt_string(tfname);
+ }
+
+ if (!strcmp(realm, "")) {
+ realm = (char *)malloc(sizeof(char) * (REALM_SZ + 1));
+ ret = krb_get_lrealm(realm, 1);
+ if (ret != KSUCCESS)
+ return 0;
+ }
+
+ ret = krb_get_pw_in_tkt((char *)user, instance, realm, "krbtgt", realm,
+ lifetime, (char *)pass);
switch (ret) {
case INTK_OK:
case INTK_W_NOTALL:
/***************************************************************************
User Authentication
***************************************************************************/
-int kerb_authenticate_user(request_rec *r) {
+int kerb_authenticate_user(request_rec *r)
+{
const char *name; /* AuthName specified */
const char *type; /* AuthType specified */
int KerberosV5 = 0; /* Kerberos V5 check enabled */
name = ap_auth_name(r);
if (!name) {
- ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
- MK_RERROR_LEVEL "need AuthName: %s", r->uri);
return HTTP_INTERNAL_SERVER_ERROR;
}
if (!auth_line) {
MK_TABLE_SET(r->err_headers_out, "WWW-Authenticate",
- ap_pstrcat(r->pool, "Basic realm=\"", name, "\"", NULL));
+ (char *)ap_pstrcat(r->pool,
+ "Basic realm=\"", name, "\"", NULL));
return HTTP_UNAUTHORIZED;
}
#ifdef KRB5
if (KerberosV5 && !KerberosV4first && retcode != OK) {
MK_AUTH_TYPE = "KerberosV5";
- if (kerb5_password_validate(MK_USER, sent_pw)) {
+ if (kerb5_password_validate(r, MK_USER, sent_pw)) {
retcode = OK;
}
else {
#ifdef KRB4
if (KerberosV4 && retcode != OK) {
MK_AUTH_TYPE = "KerberosV4";
- if (kerb4_password_validate(MK_USER, sent_pw)) {
+ if (kerb4_password_validate(r, MK_USER, sent_pw)) {
retcode = OK;
}
else {
#if defined(KRB5) && defined(KRB4)
if (KerberosV5 && KerberosV4first && retcode != OK) {
MK_AUTH_TYPE = "KerberosV5";
- if (kerb5_password_validate(MK_USER, sent_pw)) {
+ if (kerb5_password_validate(r, MK_USER, sent_pw)) {
retcode = OK;
}
else {
/***************************************************************************
Access Verification
***************************************************************************/
-int kerb_check_user_access(request_rec *r) {
+int kerb_check_user_access(request_rec *r)
+{
register int x;
const char *t, *w;
const MK_ARRAY_HEADER *reqs_arr = ap_requires(r);