From a60c5036c4e609c4fa2d06c5d9fd830a5b25b9ff Mon Sep 17 00:00:00 2001 From: jadestorm Date: Sat, 7 Sep 2002 01:53:24 +0000 Subject: [PATCH] Added rest of options I expect to be using. --- ChangeLog | 8 ++++ TODO | 19 +++++---- apache1/auth_cmds.c | 104 ++++++++++++++++++++++++++++++++++++++++++++++++-- apache1/auth_config.h | 19 ++++++++- apache2/auth_cmds.c | 94 +++++++++++++++++++++++++++++++++++++++++++-- apache2/auth_config.h | 19 ++++++++- 6 files changed, 248 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1fbcd7c..78727e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2002-09-06 Daniel Henninger + + * apache1/auth_cmds.c: + * apache1/auth_config.h: + * apache2/auth_cmds.c: + * apache2/auth_config.h: + Added all of the options I currently forsee supporting. + 2002-09-05 Daniel Henninger * apache1/module.c: diff --git a/TODO b/TODO index 9333f4e..1e18189 100644 --- a/TODO +++ b/TODO @@ -1,39 +1,44 @@ -- Save Creds/Tickets +* Save Creds/Tickets Retrieve and store krbtgt and set env variable of file path. - Cleanup Daemon Maybe write some little cleanup daemon to clean up ticket files. -- Set Path for Storage of Temp Files +* Set Path for Storage of Temp Files Storage of ticket files, and maybe others at some point. - Verify Krb5 Ticket Currently www/hostname. Can I do this with Krb4? + Yes apparently! See bug report from Ken Raeburn. -- Ability to Set Realm in Config +* Ability to Set Realm in Config Not compiled in anymore. Maybe some form of multiple realms specifiable? -- Settable Location of Keytab/Srvtab +* Settable Location of Keytab/Srvtab Again, in config instead of compiled in. -- Lifetime Settable +* Lifetime Settable Set lifetime of tickets in config. -- Default Instance +* Default Instance You can make it so that 'by default', a user's daniel/root or daniel/www instance is auth'd against instead of just daniel. +- Require Instance + We'll allow for a 'require instance ......'. + - Any Instance Allow for specification of daniel/root or daniel/admin. If off, only checks against defaultinstance instance. + require user daniel/root daniel daniel/admin - Expire Reauth Set a lifetime on tickets, and after expiration, tries to -force- a reauth (brings up login/password window) -- Forwardable/Renewable Tickets +* Forwardable/Renewable Tickets Setting in config. - Browser Mutual Auth Support diff --git a/apache1/auth_cmds.c b/apache1/auth_cmds.c index 3649cb2..d2c00ab 100644 --- a/apache1/auth_cmds.c +++ b/apache1/auth_cmds.c @@ -50,6 +50,46 @@ command_rec kerb_auth_cmds[] = { "Permit Kerberos auth without AuthType requirement." }, +#ifdef KRB4 + { + "Krb4Srvtab", + ap_set_file_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_4_srvtab), + RSRC_CONF & ACCESS_CONF, + TAKE1, + "Location of Kerberos V4 srvtab file." + }, +#endif /* KRB4 */ + +#ifdef KRB5 + { + "Krb5Keytab", + ap_set_file_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_5_keytab), + RSRC_CONF & ACCESS_CONF, + TAKE1, + "Location of Kerberos V5 keytab file." + }, +#endif /* KRB5 */ + + { + "KrbAuthoritative", + ap_set_flag_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_authoritative), + OR_AUTHCFG, + FLAG, + "Refuse to pass request down to lower modules." + }, + + { + "KrbDefaultRealm", + ap_set_string_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_default_realm), + OR_AUTHCFG, + TAKE1, + "Default realm to authenticate users against." + }, + { "KrbFailStatus", kerb_set_fail_slot, @@ -60,12 +100,70 @@ command_rec kerb_auth_cmds[] = { }, { - "KrbAuthoritative", + "KrbForceInstance", + ap_set_string_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_force_instance), + OR_AUTHCFG, + TAKE1, + "Force authentication against an instance specified here." + }, + +#ifdef KRB5 + { + "KrbForwardable", ap_set_flag_slot, - (void*)XtOffsetOf(kerb_auth_config, krb_authoritative), + (void*)XtOffsetOf(kerb_auth_config, krb_forwardable), OR_AUTHCFG, FLAG, - "Refuse to pass request down to lower modules." + "Credentials retrieved will be flagged as forwardable." + }, +#endif /* KRB5 */ + + { + "KrbLifetime", + ap_set_string_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_lifetime), + OR_AUTHCFG, + TAKE1, + "Lifetime of tickets retrieved." + }, + +#ifdef KRB5 + { + "KrbRenewable", + ap_set_string_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_renewable), + OR_AUTHCFG, + TAKE1, + "Credentials retrieved will be renewable for this length." + }, +#endif /* KRB5 */ + + { + "KrbSaveCredentials", + ap_set_flag_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_save_credentials), + OR_AUTHCFG, + FLAG, + "Save and store credentials/tickets retrieved during auth." + }, + + { + "KrbSaveTickets", + ap_set_flag_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_save_credentials), + OR_AUTHCFG, + FLAG, + "Alias for KrbSaveCredentials." + }, + + { + "KrbTmpdir", + ap_set_string_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_tmp_dir), + OR_AUTHCFG, + TAKE1, + "Path to store ticket files and such in." }, { NULL } diff --git a/apache1/auth_config.h b/apache1/auth_config.h index 6c17007..9e0da47 100644 --- a/apache1/auth_config.h +++ b/apache1/auth_config.h @@ -1,5 +1,22 @@ typedef struct { char *krb_auth_type; - int krb_fail_status; +#ifdef KRB4 + char *krb_4_srvtab; +#endif /* KRB4 */ +#ifdef KRB5 + char *krb_5_keytab; +#endif /* KRB5 */ int krb_authoritative; + char *krb_default_realm; + int krb_fail_status; + char *krb_force_instance; +#ifdef KRB5 + int krb_forwardable; +#endif /* KRB5 */ + char *krb_lifetime; +#ifdef KRB5 + char *krb_renewable; +#endif /* KRB5 */ + int krb_save_credentials; + char *krb_tmp_dir; } kerb_auth_config; diff --git a/apache2/auth_cmds.c b/apache2/auth_cmds.c index 7ad4c43..5b1d191 100644 --- a/apache2/auth_cmds.c +++ b/apache2/auth_cmds.c @@ -49,6 +49,42 @@ static const command_rec kerb_auth_cmds[] = { "Permit Kerberos auth without AuthType requirement." ), +#ifdef KRB4 + AP_INIT_TAKE1( + "Krb4Srvtab", + ap_set_file_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_4_srvtab), + RSRC_CONF & ACCESS_CONF, + "Location of Kerberos V4 srvtab file." + ), +#endif /* KRB4 */ + +#ifdef KRB5 + AP_INIT_TAKE1( + "Krb5Keytab", + ap_set_file_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_5_keytab), + RSRC_CONF & ACCESS_CONF, + "Location of Kerberos V5 keytab file." + ), +#endif /* KRB5 */ + + AP_INIT_FLAG( + "KrbAuthoritative", + ap_set_flag_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_authoritative), + OR_AUTHCFG, + "Refuse to pass request down to lower modules." + ), + + AP_INIT_TAKE1( + "KrbDefaultRealm", + ap_set_string_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_default_realm), + OR_AUTHCFG, + "Default realm to authenticate users against." + ), + AP_INIT_TAKE1( "KrbFailStatus", kerb_set_fail_slot, @@ -57,12 +93,64 @@ static const command_rec kerb_auth_cmds[] = { "If auth fails, return status set here." ), + AP_INIT_TAKE1( + "KrbForceInstance", + ap_set_string_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_force_instance), + OR_AUTHCFG, + "Force authentication against an instance specified here." + ), + +#ifdef KRB5 AP_INIT_FLAG( - "KrbAuthoritative", + "KrbForwardable", ap_set_flag_slot, - (void*)APR_XtOffsetOf(kerb_auth_config, krb_authoritative), + (void*)APR_XtOffsetOf(kerb_auth_config, krb_forwardable), OR_AUTHCFG, - "Refuse to pass request down to lower modules." + "Credentials retrieved will be flagged as forwardable." + ), +#endif /* KRB5 */ + + AP_INIT_TAKE1( + "KrbLifetime", + ap_set_string_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_lifetime), + OR_AUTHCFG, + "Lifetime of tickets retrieved." + ), + +#ifdef KRB5 + AP_INIT_TAKE1( + "KrbRenewable", + ap_set_string_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_renewable), + OR_AUTHCFG, + "Credentials retrieved will be renewable for this length." + ), +#endif /* KRB5 */ + + AP_INIT_FLAG( + "KrbSaveCredentials", + ap_set_flag_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_save_credentials), + OR_AUTHCFG, + "Save and store credentials/tickets retrieved during auth." + ), + + AP_INIT_FLAG( + "KrbSaveTickets", + ap_set_flag_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_save_credentials), + OR_AUTHCFG, + "Alias for KrbSaveCredentials." + ), + + AP_INIT_TAKE1( + "KrbTmpdir", + ap_set_string_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_tmp_dir), + OR_AUTHCFG, + "Path to store ticket files and such in." ), { NULL } diff --git a/apache2/auth_config.h b/apache2/auth_config.h index 6c17007..9e0da47 100644 --- a/apache2/auth_config.h +++ b/apache2/auth_config.h @@ -1,5 +1,22 @@ typedef struct { char *krb_auth_type; - int krb_fail_status; +#ifdef KRB4 + char *krb_4_srvtab; +#endif /* KRB4 */ +#ifdef KRB5 + char *krb_5_keytab; +#endif /* KRB5 */ int krb_authoritative; + char *krb_default_realm; + int krb_fail_status; + char *krb_force_instance; +#ifdef KRB5 + int krb_forwardable; +#endif /* KRB5 */ + char *krb_lifetime; +#ifdef KRB5 + char *krb_renewable; +#endif /* KRB5 */ + int krb_save_credentials; + char *krb_tmp_dir; } kerb_auth_config; -- 2.1.4