#include <stdio.h>
#include <stdarg.h>
-#define MODAUTHKERB_VERSION "5.0"
+#define MODAUTHKERB_VERSION "5.3"
#define MECH_NEGOTIATE "Negotiate"
#define SERVICE_NAME "HTTP"
#include <unistd.h>
#endif
+#ifndef KRB5_LIB_FUNCTION
+# if defined(_WIN32)
+# define KRB5_LIB_FUNCTION _stdcall
+# else
+# define KRB5_LIB_FUNCTION
+# endif
+#endif
+
#ifdef STANDARD20_MODULE_STUFF
module AP_MODULE_DECLARE_DATA auth_kerb_module;
#else
char *krb_5_keytab;
int krb_method_gssapi;
int krb_method_k5pass;
+ int krb5_do_auth_to_local;
#endif
#ifdef KRB4
char *krb_4_srvtab;
command("KrbMethodK5Passwd", ap_set_flag_slot, krb_method_k5pass,
FLAG, "Enable Kerberos V5 password authentication."),
+
+ command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local,
+ FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."),
#endif
#ifdef KRB4
};
#endif
-
/***************************************************************************
Auth Configuration Initialization
***************************************************************************/
((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0;
#endif
#ifdef KRB5
+ ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0;
((kerb_auth_config *)rec)->krb_method_k5pass = 1;
((kerb_auth_config *)rec)->krb_method_gssapi = 1;
#endif
Username/Password Validation for Krb4
***************************************************************************/
static int
-verify_krb4_user(request_rec *r, char *name, char *instance, char *realm,
- char *password, char *linstance, char *srvtab, int krb_verify_kdc)
+verify_krb4_user(request_rec *r, const char *name, const char *instance,
+ const char *realm, const char *password, const char *linstance, const char *srvtab, int krb_verify_kdc)
{
int ret;
char *phost;
return ret;
}
- ret = krb_rd_req(&ticket, linstance, phost, addr, &authdata, srvtab);
+ ret = krb_rd_req(&ticket, (char *)linstance, phost, addr, &authdata, (char *)srvtab);
if (ret) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Cannot verify krb4 ticket: krb_rd_req() failed: %s",
int all_principals_unkown;
sent_pw = ap_pbase64decode(r->pool, auth_line);
- sent_name = ap_getword (r->pool, &sent_pw, ':');
-
- /* do not allow user to override realm setting of server */
- if (ap_strchr_c(sent_name, '@')) {
- log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "specifying realm in user name is prohibited");
- return HTTP_UNAUTHORIZED;
- }
+ sent_name = ap_getword_nulls_nc (r->pool, (char **) &sent_pw, ':');
sent_instance = strchr(sent_name, '.');
if (sent_instance)
return HTTP_INTERNAL_SERVER_ERROR;
}
- tkt_file_p = ap_pstrdup(r->pool, tkt_file);
- ap_register_cleanup(r->pool, tkt_file_p,
- krb4_cache_cleanup, ap_null_cleanup);
-
+ tkt_file_p = apr_pstrdup(r->pool, tkt_file);
+ apr_pool_cleanup_register(r->pool, tkt_file_p, krb4_cache_cleanup,
+ apr_pool_cleanup_null);
+
krb_set_tkt_string(tkt_file);
all_principals_unkown = 1;
goto end;
}
- user = ap_pstrdup(r->pool, sent_name);
+ user = apr_pstrdup(r->pool, sent_name);
if (sent_instance)
- user = ap_pstrcat(r->pool, user, ".", sent_instance, NULL);
- user = ap_pstrcat(r->pool, user, "@", realm, NULL);
+ user = apr_pstrcat(r->pool, user, ".", sent_instance, NULL);
+ user = apr_pstrcat(r->pool, user, "@", realm, NULL);
MK_USER = user;
MK_AUTH_TYPE = "Basic";
- ap_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p);
+ apr_table_setn(r->subprocess_env, "KRBTKFILE", tkt_file_p);
if (!conf->krb_save_credentials)
krb4_cache_cleanup(tkt_file);
}
sent_pw = ap_pbase64decode(r->pool, auth_line);
- sent_name = ap_getword (r->pool, &sent_pw, ':');
+ sent_name = ap_getword_nulls_nc (r->pool, (char **) &sent_pw, ':');
if (sent_pw == NULL || *sent_pw == '\0') {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
********************************************************************/
static const char *
-get_gss_error(MK_POOL *p, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
+get_gss_error(request_rec *r, OM_uint32 err_maj, OM_uint32 err_min, char *prefix)
{
OM_uint32 maj_stat, min_stat;
OM_uint32 msg_ctx = 0;
gss_buffer_desc status_string;
char *err_msg;
- err_msg = apr_pstrdup(p, prefix);
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "GSS-API major_status:%8.8x, minor_status:%8.8x",
+ err_maj, err_min);
+
+ err_msg = apr_pstrdup(r->pool, prefix);
do {
maj_stat = gss_display_status (&min_stat,
err_maj,
GSS_C_NO_OID,
&msg_ctx,
&status_string);
- if (GSS_ERROR(maj_stat))
- break;
- err_msg = apr_pstrcat(p, err_msg, ": ", (char*) status_string.value, NULL);
- gss_release_buffer(&min_stat, &status_string);
-
+ if (!GSS_ERROR(maj_stat)) {
+ err_msg = apr_pstrcat(r->pool, err_msg, ": ",
+ (char*) status_string.value, NULL);
+ gss_release_buffer(&min_stat, &status_string);
+ }
+ } while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
+
+ msg_ctx = 0;
+ err_msg = apr_pstrcat(r->pool, err_msg, " (", NULL);
+ do {
maj_stat = gss_display_status (&min_stat,
err_min,
GSS_C_MECH_CODE,
&msg_ctx,
&status_string);
if (!GSS_ERROR(maj_stat)) {
- err_msg = apr_pstrcat(p, err_msg,
- " (", (char*) status_string.value, ")", NULL);
+ err_msg = apr_pstrcat(r->pool, err_msg, ", ",
+ (char *) status_string.value, NULL);
gss_release_buffer(&min_stat, &status_string);
}
} while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
+ err_msg = apr_pstrcat(r->pool, err_msg, ")", NULL);
return err_msg;
}
if (GSS_ERROR(maj_stat)) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Cannot store delegated credential (%s)",
- get_gss_error(r->pool, maj_stat, min_stat, "gss_krb5_copy_ccache"));
+ get_gss_error(r, maj_stat, min_stat, "gss_krb5_copy_ccache"));
goto end;
}
memset(&token, 0, sizeof(token));
if (GSS_ERROR(major_status)) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "%s", get_gss_error(r->pool, major_status, minor_status,
+ "%s", get_gss_error(r, major_status, minor_status,
"gss_import_name() failed"));
return HTTP_INTERNAL_SERVER_ERROR;
}
/* Perhaps we could just ignore this error but it's safer to give up now,
I think */
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "%s", get_gss_error(r->pool, major_status, minor_status,
+ "%s", get_gss_error(r, major_status, minor_status,
"gss_display_name() failed"));
return HTTP_INTERNAL_SERVER_ERROR;
}
gss_release_name(&minor_status2, &server_name);
if (GSS_ERROR(major_status)) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "%s", get_gss_error(r->pool, major_status, minor_status,
+ "%s", get_gss_error(r, major_status, minor_status,
"gss_acquire_cred() failed"));
return HTTP_INTERNAL_SERVER_ERROR;
}
gss_OID_desc spnego_oid;
gss_ctx_id_t context = GSS_C_NO_CONTEXT;
gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
+ OM_uint32 ret_flags = 0;
*negotiate_ret_value = "\0";
&client_name,
NULL,
&output_token,
- NULL,
+ &ret_flags,
NULL,
&delegated_cred);
log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
- "Verification returned code %d", major_status);
+ "Client %s us their credential",
+ (ret_flags & GSS_C_DELEG_FLAG) ? "sent" : "didn't send");
if (output_token.length) {
char *token = NULL;
size_t len;
"Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.");
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "%s", get_gss_error(r->pool, major_status, minor_status,
+ "%s", get_gss_error(r, major_status, minor_status,
"gss_accept_sec_context() failed"));
/* Don't offer the Negotiate method again if call to GSS layer failed */
*negotiate_ret_value = NULL;
gss_release_name(&minor_status, &client_name);
if (GSS_ERROR(major_status)) {
log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "%s", get_gss_error(r->pool, major_status, minor_status,
+ "%s", get_gss_error(r, major_status, minor_status,
"gss_display_name() failed"));
ret = HTTP_INTERNAL_SERVER_ERROR;
goto end;
if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
-
+
gss_release_buffer(&minor_status, &output_token);
ret = OK;
return ret;
}
+
+static int
+do_krb5_an_to_ln(request_rec *r) {
+ krb5_error_code code;
+ int ret = HTTP_INTERNAL_SERVER_ERROR;
+ char *MK_USER_LNAME = NULL;
+ krb5_context kcontext = NULL;
+ krb5_principal client = NULL;
+
+ code = krb5_init_context(&kcontext);
+ if (code) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Cannot initialize Kerberos5 context (%d)", code);
+ goto end;
+ }
+
+ code = krb5_parse_name(kcontext, MK_USER, &client);
+ if (code) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "krb5_parse_name() failed: %s",
+ krb5_get_err_text(kcontext, code));
+ goto end;
+ }
+ MK_USER_LNAME = apr_pcalloc(r->pool, strlen(MK_USER)+1);
+ if (MK_USER_LNAME == NULL) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "ap_pcalloc() failed (not enough memory)");
+ goto end;
+ }
+ code = krb5_aname_to_localname(kcontext, client, strlen(MK_USER), MK_USER_LNAME);
+ if (code) {
+ if (code != KRB5_LNAME_NOTRANS) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "krb5_aname_to_localname() failed: %s",
+ krb5_get_err_text(kcontext, code));
+
+ }
+ else {
+ log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
+ "krb5_aname_to_localname() found no "
+ "mapping for principal %s",
+ MK_USER);
+ }
+ }
+ else {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "kerb_authenticate_a_name_to_local_name %s -> %s",
+ (MK_USER)?MK_USER:"(NULL)", (MK_USER_LNAME)?MK_USER_LNAME:"(NULL)");
+ MK_USER = apr_pstrdup(r->pool, MK_USER_LNAME);
+ ret = OK;
+ }
+ end:
+ if (client)
+ krb5_free_principal(kcontext, client);
+ if (kcontext)
+ krb5_free_context(kcontext);
+ return ret;
+}
+
+
#endif /* KRB5 */
static int
#ifdef KRB4
if (!set_basic &&
((use_krb4 && conf->krb_method_k4pass) || conf->krb_delegate_basic))
- ap_table_add(r->err_headers_out, header_name,
- ap_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
+ apr_table_add(r->err_headers_out, header_name,
+ apr_pstrcat(r->pool, "Basic realm=\"", auth_name, "\"", NULL));
#endif
}
strcasecmp(auth_type, "Basic") == 0) {
ret = authenticate_user_krb5pwd(r, conf, auth_line);
}
+ if (ret == OK && conf->krb5_do_auth_to_local)
+ ret = do_krb5_an_to_ln(r);
#endif
#ifdef KRB4
{
krb5_error_code ret;
krb5_context context;
- krb5_rcache id;
+ krb5_rcache id = NULL;
int found;
- memset(&id, 0, sizeof(id));
-
ret = krb5_init_context(&context);
if (ret)
return 0;
- ret = krb5_rc_resolve_type(context, &id, type);
+ ret = krb5_rc_resolve_full(context, &id, "none:");
found = (ret == 0);
+ if (ret == 0)
+ krb5_rc_destroy(context, id);
krb5_free_context(context);
return found;
projects / mod_auth_kerb.git / blobdiff