Margaret Wasserman [Fri, 5 Sep 2014 10:52:29 +0000 (06:52 -0400)]
Update the protocol description to match current code and include additonal detaisl about encoding, etc.
Sam Hartman [Wed, 3 Sep 2014 20:35:30 +0000 (16:35 -0400)]
Include connection keep-alive
Margaret Wasserman [Wed, 3 Sep 2014 20:34:13 +0000 (16:34 -0400)]
Break gss_get_conn_ctx() into two functions, on that retrieves a context, and one that creates a new one. Make corresponding changes in both modules.
Sam Hartman [Wed, 3 Sep 2014 13:51:51 +0000 (09:51 -0400)]
Don't use output_token after free
Margaret Wasserman [Wed, 3 Sep 2014 13:46:54 +0000 (09:46 -0400)]
Base64 encode application data, instead of escaping. Fix typo in protocol. Add debug statement to test code.
Sam Hartman [Tue, 2 Sep 2014 17:44:40 +0000 (13:44 -0400)]
Fix client to continue
Margaret Wasserman [Tue, 2 Sep 2014 15:21:13 +0000 (11:21 -0400)]
Fix bugs with code to escape quotes.
Margaret Wasserman [Tue, 2 Sep 2014 12:02:12 +0000 (08:02 -0400)]
Updates/fixes to gssweb filter code.
Margaret Wasserman [Wed, 20 Aug 2014 13:31:09 +0000 (09:31 -0400)]
Filter is successfully called, still needs to do job properly.
Margaret Wasserman [Wed, 13 Aug 2014 20:47:34 +0000 (16:47 -0400)]
Removed backup file.
Margaret Wasserman [Wed, 13 Aug 2014 20:43:36 +0000 (16:43 -0400)]
Apache auth hook appears to work, but filter still not registered properly. Added test client.
Margaret Wasserman [Wed, 6 Aug 2014 19:30:09 +0000 (15:30 -0400)]
Add code for output filter.
Margaret Wasserman [Wed, 9 Jul 2014 21:32:28 +0000 (17:32 -0400)]
Code for gssweb module check_user hook.
Margaret Wasserman [Wed, 2 Jul 2014 11:53:54 +0000 (07:53 -0400)]
Editorial changs to protocol description.
Margaret Wasserman [Wed, 2 Jul 2014 11:42:18 +0000 (07:42 -0400)]
Added protocol description for GSS Web authentication.
Margaret Wasserman [Sun, 29 Jun 2014 11:31:08 +0000 (07:31 -0400)]
Cleanly separate gssapi (negotiate) auth code from (future) gssweb auth code.
Margaret Wasserman [Sun, 29 Jun 2014 11:10:30 +0000 (07:10 -0400)]
Remove static qualifier from non-static funtions, finish .h reorg.
Margaret Wasserman [Sun, 29 Jun 2014 11:03:52 +0000 (07:03 -0400)]
Update include files to match code refactoring for two modules.
Margaret Wasserman [Sun, 29 Jun 2014 10:15:53 +0000 (06:15 -0400)]
Add gssweb sources
Margaret Wasserman [Sun, 29 Jun 2014 10:12:29 +0000 (06:12 -0400)]
Add auth_gssweb module to makefile
Margaret Wasserman [Wed, 18 Jun 2014 19:30:26 +0000 (15:30 -0400)]
Refactor existing mod_auth_gssapi code to support addition of gssweb module.
Margaret Wasserman [Tue, 3 Jun 2014 19:40:52 +0000 (15:40 -0400)]
Add install-sh to mod-auth-kerb directory
Sam Hartman [Mon, 3 Feb 2014 10:08:56 +0000 (05:08 -0500)]
Merge branch 'moonshot-negotiate' of file:///srv/git/mod_auth_kerb
Luke Howard [Sun, 25 Sep 2011 13:40:47 +0000 (23:40 +1000)]
use "Negotiate" mechanism
Sam Hartman [Mon, 9 May 2011 21:07:23 +0000 (17:07 -0400)]
Build fixes to support DESTDIR
kouril [Fri, 6 May 2011 09:47:25 +0000 (09:47 +0000)]
license and copyright statements
kouril [Fri, 1 Apr 2011 10:45:06 +0000 (10:45 +0000)]
Return even last token on GSS errors
kouril [Mon, 28 Mar 2011 20:21:23 +0000 (20:21 +0000)]
Adding testing CLI client (based off the Heimdal testing sample)
kouril [Mon, 28 Mar 2011 20:12:22 +0000 (20:12 +0000)]
Improved building
kouril [Mon, 28 Mar 2011 19:13:37 +0000 (19:13 +0000)]
Fixed building with gss libs (by Sam Hartman)
kouril [Wed, 15 Dec 2010 13:25:05 +0000 (13:25 +0000)]
importing current version of mod_auth_gssapi
kouril [Wed, 15 Dec 2010 13:24:09 +0000 (13:24 +0000)]
removed "legacy" of mod_auth_kerb
kouril [Wed, 15 Dec 2010 13:18:18 +0000 (13:18 +0000)]
removed unnecessary files
kouril [Thu, 22 Jul 2010 09:13:54 +0000 (09:13 +0000)]
Better r.e. to prevent from substituing empty strings on some platforms
kouril [Tue, 11 Aug 2009 07:37:27 +0000 (07:37 +0000)]
remove some cc warnings (thanks to Joe Orton)
kouril [Tue, 11 Aug 2009 07:26:14 +0000 (07:26 +0000)]
- own up Kerberos in the resulting mechanism id
- return an error when the client wants multiple iterations of GSSAPI authN
baalberith [Tue, 5 May 2009 12:39:52 +0000 (12:39 +0000)]
tweaked Basic provider support
baalberith [Fri, 17 Apr 2009 09:38:23 +0000 (09:38 +0000)]
documented KrbLocalUserMapping directive
baalberith [Thu, 16 Apr 2009 17:26:02 +0000 (17:26 +0000)]
ticket [2421120], added krb5-config command locating
baalberith [Mon, 9 Mar 2009 19:52:17 +0000 (19:52 +0000)]
fixed return value when using basic provider to pass the auth to other modules (in case of fail).
baalberith [Thu, 5 Mar 2009 17:30:45 +0000 (17:30 +0000)]
forgot something
baalberith [Thu, 5 Mar 2009 17:06:20 +0000 (17:06 +0000)]
code reorganization caused by last update
baalberith [Fri, 27 Feb 2009 00:07:08 +0000 (00:07 +0000)]
added password verification invocation vie the AuthBasicProvider with krb value
baalberith [Thu, 4 Dec 2008 10:14:03 +0000 (10:14 +0000)]
increased version number
baalberith [Thu, 4 Dec 2008 10:11:35 +0000 (10:11 +0000)]
changelog
baalberith [Thu, 4 Dec 2008 09:48:00 +0000 (09:48 +0000)]
added changelog
baalberith [Tue, 2 Dec 2008 15:17:17 +0000 (15:17 +0000)]
removed compilation warnings
baalberith [Tue, 2 Dec 2008 15:01:17 +0000 (15:01 +0000)]
reverted to 1.146, this will be part of another commit
baalberith [Tue, 2 Dec 2008 14:49:13 +0000 (14:49 +0000)]
moved sed command to its own script(for BSD with non-GNU make users) + improved configure script to correctly handle with --with-krb5=yes
baalberith [Sun, 19 Oct 2008 19:25:44 +0000 (19:25 +0000)]
tickets [ 1427467 ], [ 1399384 ], [ 1169067 ], [ 1289096 ] implemented KrbServiceName Any for password auth
baalberith [Tue, 14 Oct 2008 19:00:50 +0000 (19:00 +0000)]
fixed bug [1323202] Configure script doesnt correctly handle "--with-krb5"
baalberith [Tue, 14 Oct 2008 10:59:19 +0000 (10:59 +0000)]
accepted ticket [1859455]: <sys/types.h> should be included explicitly
baalberith [Sat, 11 Oct 2008 23:09:00 +0000 (23:09 +0000)]
accepted ticket [1707336]: Include valid options when calling krb5_get_init_creds_passw
baalberith [Wed, 8 Oct 2008 20:12:10 +0000 (20:12 +0000)]
rewriten already_succeeded function, tickets [ 1774288 ], [ 1891230 ]
baalberith [Sat, 4 Oct 2008 08:51:17 +0000 (08:51 +0000)]
fixed threading issues as described in ticket [ 1971514 ]
baalberith [Thu, 2 Oct 2008 11:01:01 +0000 (11:01 +0000)]
minor update "HTTP" -> default SERVICE_NAME
baalberith [Wed, 17 Sep 2008 14:01:55 +0000 (14:01 +0000)]
accepted patch [ 1809998 ] "Accept any incoming credential in keytab" with some minor changes
baalberith [Tue, 19 Aug 2008 12:29:45 +0000 (12:29 +0000)]
rewritten whole an to ln name mapping
baalberith [Wed, 13 Aug 2008 01:05:52 +0000 (01:05 +0000)]
minor update, some debugging info + better memory management
baalberith [Fri, 8 Aug 2008 11:56:55 +0000 (11:56 +0000)]
added auth name to local name mapping. Tickets [1957143], [1303627], [2013838 ], [1809803], [1373783], [1611526]
baalberith [Fri, 25 Jul 2008 22:22:03 +0000 (22:22 +0000)]
fixed [1851056] problem with password beginning with ':'
kouril [Tue, 24 Jun 2008 12:59:53 +0000 (12:59 +0000)]
Merge from the 5.3 branch (security fix). Tagged as merge_53_src, merge_53_dst, merge_53_dst_after.
kouril [Wed, 22 Nov 2006 11:11:16 +0000 (11:11 +0000)]
Logged a debug message saying if or not the client delegated his/her credential
kouril [Wed, 22 Nov 2006 10:53:53 +0000 (10:53 +0000)]
Pass the get_gss_error() call with a full request struct so it could log a debug message with the GSSAPI codes
kouril [Thu, 16 Nov 2006 08:39:36 +0000 (08:39 +0000)]
Improved displying of error messages
kouril [Mon, 6 Nov 2006 17:33:53 +0000 (17:33 +0000)]
Increased version numbers
kouril [Mon, 6 Nov 2006 15:48:45 +0000 (15:48 +0000)]
Added definition of KRB5_LIB_FUNCTION (taken from MIT), which seems not to be
included sometimes (MIT 1.5.1).
kouril [Mon, 6 Nov 2006 15:36:08 +0000 (15:36 +0000)]
The shell functions supported by BSD make:s doesn't do what we are used to from
GNU make. Added a comment with two lines which provide the same functionality
also on BSD platforms. It'd be greate if they were wrapped with a if
statetement.
kouril [Sat, 9 Sep 2006 08:01:03 +0000 (08:01 +0000)]
Use krb5_rc_resolve_full() to detect the "none" rcache type. The previous code was based on an internal function using non-public data structure.
kouril [Mon, 4 Sep 2006 10:44:17 +0000 (10:44 +0000)]
Changes in krb4 code
- switch to apr 1.x
- allow the client to specify the realm
kouril [Fri, 1 Sep 2006 11:36:19 +0000 (11:36 +0000)]
increased versions to 5.1
kouril [Fri, 1 Sep 2006 09:32:34 +0000 (09:32 +0000)]
Defined GSS_KRB5_NT_PRINCIPAL_NAME as gss_nt_krb5_name to make it work with older MITs (eg. from RH ES3)
kouril [Wed, 30 Aug 2006 06:41:51 +0000 (06:41 +0000)]
Switched to use APR 1.x
- apr 1.0 stopped shipping the compat headers defining old ap_* calls
kouril [Wed, 30 Aug 2006 06:38:14 +0000 (06:38 +0000)]
changed type to unsigned to be consistent with prototype
kouril [Thu, 24 Aug 2006 11:43:07 +0000 (11:43 +0000)]
Added context declaration
kouril [Thu, 24 Aug 2006 10:50:32 +0000 (10:50 +0000)]
Better check if SPNEGO is supported by the kerberos implementation. Patch accepted from https://sourceforge.net/tracker/?func=detail&atid=464526&aid=1533173&group_id=51775
kouril [Thu, 24 Aug 2006 10:48:38 +0000 (10:48 +0000)]
Detect if the "none" replay cache type is supported before enforcing its use
kouril [Tue, 15 Aug 2006 13:35:53 +0000 (13:35 +0000)]
Bumbed version
kouril [Tue, 15 Aug 2006 13:14:27 +0000 (13:14 +0000)]
typo in error message
kouril [Tue, 15 Aug 2006 12:58:01 +0000 (12:58 +0000)]
Better solution to the "array type has incomplete element type" problem
kouril [Tue, 15 Aug 2006 12:48:26 +0000 (12:48 +0000)]
Compatibilizing define's are pulled out from apr_compat.h and apu_compat.h
kouril [Tue, 15 Aug 2006 12:42:03 +0000 (12:42 +0000)]
The KRB5RCACHETYPE variable is set in initialization calls. Its parameter is allocated using strdup().
kouril [Tue, 15 Aug 2006 11:34:49 +0000 (11:34 +0000)]
Some calls declared static to make gcc stop complainig about non existing prototypes
kouril [Tue, 15 Aug 2006 11:31:52 +0000 (11:31 +0000)]
Ignore .libs
kouril [Tue, 15 Aug 2006 11:08:19 +0000 (11:08 +0000)]
Ignore *.lo, *.slo
kouril [Tue, 15 Aug 2006 10:34:28 +0000 (10:34 +0000)]
Commented out ContextFlags_units, which makes problem on SuSE 10
kouril [Tue, 15 Aug 2006 10:21:46 +0000 (10:21 +0000)]
Try also locating apxs2 binary if apxs isn't found
kouril [Sat, 22 Apr 2006 12:46:53 +0000 (12:46 +0000)]
- Use the KRB5RCACHETYPE variable to disable the replay attacks checks in
MIT 1.4
- Make the 1.3 hack more robust, it tryies to verify it works with 1.3 libs
(it crashes with 1.4)
(patches submited from Russ Allbery and Jari Ahonen)
kouril [Tue, 28 Feb 2006 23:01:44 +0000 (23:01 +0000)]
Bumped version
kouril [Mon, 20 Feb 2006 21:46:35 +0000 (21:46 +0000)]
Wrap compiler and linker options passed via apxs
kouril [Mon, 20 Feb 2006 21:38:28 +0000 (21:38 +0000)]
#ifdef 0 doesn't work
kouril [Sun, 19 Feb 2006 21:45:05 +0000 (21:45 +0000)]
Bumped years in Licenses and similar stuff
kouril [Sun, 19 Feb 2006 21:04:44 +0000 (21:04 +0000)]
Typo (fix for bug 1424794)
kouril [Sun, 19 Feb 2006 14:58:41 +0000 (14:58 +0000)]
Commented out all KrbEnableSSLPreauthentication related stuff as it depends on
the mod_ssl internals (ssl_var_lookup).
kouril [Thu, 2 Feb 2006 15:35:42 +0000 (15:35 +0000)]
Added SSL_preauthentication option
kouril [Fri, 5 Aug 2005 15:16:29 +0000 (15:16 +0000)]
- Don't build the SPNEGO library at all if using latest heimdal (or another
distributions supporting SPNEGO, are there any?)
- Changed the semantics of the KrbServiceName directive. It can contain not
only the service name (HTTP) but also a full principal name that will be used
for authentication of the server. This should help in solving some DNS
issues.
kouril [Wed, 8 Jun 2005 10:36:46 +0000 (10:36 +0000)]
- renamed enum CONTEXT into KERB_CTXT to address name clashes on Windows
- added a few missing calling conventions to the calls
(thanks to Pascal Davoust, 20 May 2005 14:56:15)
kouril [Wed, 8 Jun 2005 10:32:55 +0000 (10:32 +0000)]
- Be more compatible with the development apache branch. Allow working with
APR 1.x and 2.2.
- Avoid some warnings
(thanks to Joe Orton for this patch, 23 May 2005 14:00:57)
kouril [Fri, 3 Jun 2005 16:58:24 +0000 (16:58 +0000)]
mozilla prefs
kouril [Fri, 29 Apr 2005 15:51:53 +0000 (15:51 +0000)]
Only reply with the Negotiate set if the gss_accept_sec_context returned data
for the client. Otherwise the client received an Negotiate header and tried to
authenticate using GSSAPI again and again, which is annoying when the user in
question pass the authentication but isn't authorized.