+++ /dev/null
-#include "httpd.h"
-#include "http_config.h"
-#include "http_core.h"
-#include "http_log.h"
-#include "http_protocol.h"
-#include "http_request.h"
-
-module kerb_auth_module;
+++ /dev/null
-static const char *kerb_set_fail_slot(cmd_parms *cmd, char *struct_ptr,
- char *arg)
-{
- int offset = (int) (long) cmd->info;
- if (!strncasecmp(arg, "unauthorized", 12))
- *(int *) (struct_ptr + offset) = HTTP_UNAUTHORIZED;
- else if (!strncasecmp(arg, "forbidden", 9))
- *(int *) (struct_ptr + offset) = HTTP_FORBIDDEN;
- else if (!strncasecmp(arg, "declined", 8))
- *(int *) (struct_ptr + offset) = DECLINED;
- else
- return "KrbFailStatus must be Forbidden, Unauthorized, or Declined.";
- return NULL;
-}
-
-static const char *kerb_set_type_slot(cmd_parms *cmd, char *struct_ptr,
- char *arg)
-{
- int offset = (int) (long) cmd->info;
- if
-#ifdef KRB5
- (!strncasecmp(arg, "v5", 2))
- *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosV5");
- else if
-#endif /* KRB5 */
-#ifdef KRB4
- (!strncasecmp(arg, "v4", 2))
- *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosV4");
-#endif /* KRB4 */
- else if
- (!strncasecmp(arg, "dualv5v4", 2))
- *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosDualV5V4");
- else if
- (!strncasecmp(arg, "dualv4v5", 2))
- *(char **) (struct_ptr + offset) = ap_pstrdup(cmd->pool, "KerberosDualV4V5");
-#if defined(KRB4) && defined(KRB5)
-#endif /* KRB4 && KRB5 */
- else
- return "AuthKerberos must be V5 or V4.";
- return NULL;
-}
-
-command_rec kerb_auth_cmds[] = {
- {
- "AuthKerberos",
- kerb_set_type_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_auth_type),
- OR_AUTHCFG,
- TAKE1,
- "Permit Kerberos auth without AuthType requirement."
- },
-
-#ifdef KRB4
- {
- "Krb4Srvtab",
- ap_set_file_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_4_srvtab),
- RSRC_CONF & ACCESS_CONF,
- TAKE1,
- "Location of Kerberos V4 srvtab file."
- },
-#endif /* KRB4 */
-
-#ifdef KRB5
- {
- "Krb5Keytab",
- ap_set_file_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_5_keytab),
- RSRC_CONF & ACCESS_CONF,
- TAKE1,
- "Location of Kerberos V5 keytab file."
- },
-#endif /* KRB5 */
-
- {
- "KrbAuthoritative",
- ap_set_flag_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_authoritative),
- OR_AUTHCFG,
- FLAG,
- "Refuse to pass request down to lower modules."
- },
-
- {
- "KrbDefaultRealm",
- ap_set_string_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_default_realm),
- OR_AUTHCFG,
- TAKE1,
- "Default realm to authenticate users against."
- },
-
- {
- "KrbFailStatus",
- kerb_set_fail_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_fail_status),
- OR_AUTHCFG,
- TAKE1,
- "If auth fails, return status set here."
- },
-
- {
- "KrbForceInstance",
- ap_set_string_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_force_instance),
- OR_AUTHCFG,
- TAKE1,
- "Force authentication against an instance specified here."
- },
-
-#ifdef KRB5
- {
- "KrbForwardable",
- ap_set_flag_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_forwardable),
- OR_AUTHCFG,
- FLAG,
- "Credentials retrieved will be flagged as forwardable."
- },
-#endif /* KRB5 */
-
- {
- "KrbLifetime",
- ap_set_string_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_lifetime),
- OR_AUTHCFG,
- TAKE1,
- "Lifetime of tickets retrieved."
- },
-
-#ifdef KRB5
- {
- "KrbRenewable",
- ap_set_string_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_renewable),
- OR_AUTHCFG,
- TAKE1,
- "Credentials retrieved will be renewable for this length."
- },
-#endif /* KRB5 */
-
- {
- "KrbSaveCredentials",
- ap_set_flag_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_save_credentials),
- OR_AUTHCFG,
- FLAG,
- "Save and store credentials/tickets retrieved during auth."
- },
-
- {
- "KrbSaveTickets",
- ap_set_flag_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_save_credentials),
- OR_AUTHCFG,
- FLAG,
- "Alias for KrbSaveCredentials."
- },
-
- {
- "KrbTmpdir",
- ap_set_string_slot,
- (void*)XtOffsetOf(kerb_auth_config, krb_tmp_dir),
- OR_AUTHCFG,
- TAKE1,
- "Path to store ticket files and such in."
- },
-
- { NULL }
-};
+++ /dev/null
-typedef struct {
- char *krb_auth_type;
-#ifdef KRB4
- char *krb_4_srvtab;
-#endif /* KRB4 */
-#ifdef KRB5
- char *krb_5_keytab;
-#endif /* KRB5 */
- int krb_authoritative;
- char *krb_default_realm;
- int krb_fail_status;
- char *krb_force_instance;
-#ifdef KRB5
- int krb_forwardable;
-#endif /* KRB5 */
- char *krb_lifetime;
-#ifdef KRB5
- char *krb_renewable;
-#endif /* KRB5 */
- int krb_save_credentials;
- char *krb_tmp_dir;
-} kerb_auth_config;
+++ /dev/null
-int kerb_authenticate_user(request_rec *r) {
- const char *name; /* AuthName specified */
- const char *type; /* AuthType specified */
- int KerberosV5 = 0; /* Kerberos V5 check enabled */
- int KerberosV4 = 0; /* Kerberos V4 check enabled */
- int KerberosV4first = 0; /* Kerberos V4 check first */
- const char *sent_pw; /* Password sent by browser */
- int res; /* Response holder */
- int retcode; /* Return code holder */
- const char *t; /* Decoded auth_line */
- const char *authtype; /* AuthType to send back to browser */
- const char *auth_line = ap_table_get(r->headers_in,
- (r->proxyreq == STD_PROXY)
- ? "Proxy-Authorization"
- : "Authorization");
- kerb_auth_config *conf =
- (kerb_auth_config *)ap_get_module_config(r->per_dir_config,
- &kerb_auth_module);
-
- type = ap_auth_type(r);
-
- if (type != NULL) {
-#ifdef KRB5
- if ((strncasecmp(type, "KerberosV5", 10) == 0) ||
- (strncasecmp(conf->krb_auth_type, "KerberosV5", 10) == 0)) {
- KerberosV5 = 1;
- }
-#endif /* KRB5 */
-
-#ifdef KRB4
- if ((strncasecmp(type, "KerberosV4", 10) == 0) ||
- (strncasecmp(conf->krb_auth_type, "KerberosV4", 10) == 0)) {
- KerberosV4 = 1;
- }
-#endif /* KRB4 */
-
-#if defined(KRB5) && defined(KRB4)
- if ((strncasecmp(type, "KerberosDualV5V4", 15) == 0) ||
- (strncasecmp(conf->krb_auth_type, "KerberosDualV5V4", 15) == 0)) {
- KerberosV5 = 1;
- KerberosV4 = 1;
- }
-
- if ((strncasecmp(type, "KerberosDualV4V5", 15) == 0) ||
- (strncasecmp(conf->krb_auth_type, "KerberosDualV4V5", 15) == 0)) {
- KerberosV5 = 1;
- KerberosV4 = 1;
- KerberosV4first = 1;
- }
-#endif /* KRB5 && KRB4 */
- }
-
- if (!KerberosV4 && !KerberosV5) {
- return DECLINED;
- }
-
- name = ap_auth_name(r);
- if (!name) {
- ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
- "need AuthName: %s", r->uri);
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- if (!auth_line) {
- ap_table_set(r->err_headers_out, "WWW-Authenticate",
- ap_pstrcat(r->pool, "Basic realm=\"", name, "\"", NULL));
- return HTTP_UNAUTHORIZED;
- }
-
- type = ap_getword_white(r->pool, &auth_line);
- t = ap_pbase64decode(r->pool, auth_line);
- r->connection->user = ap_getword_nulls(r->pool, &t, ':');
- r->connection->ap_auth_type = "Kerberos";
- sent_pw = ap_getword_white(r->pool, &t);
-
- retcode = DECLINED;
-
-#ifdef KRB5
- if (KerberosV5 && !KerberosV4first && retcode != OK) {
- if (kerb5_password_validate(r->connection->user, sent_pw)) {
- retcode = OK;
- }
- else {
- retcode = conf->krb_fail_status;
- }
- }
-#endif /* KRB5 */
-
-#ifdef KRB4
- if (KerberosV4 && retcode != OK) {
- if (kerb4_password_validate(r->connection->user, sent_pw)) {
- retcode = OK;
- }
- else {
- retcode = conf->krb_fail_status;
- }
- }
-#endif /* KRB4 */
-
-#if defined(KRB5) && defined(KRB4)
- if (KerberosV5 && KerberosV4first && retcode != OK) {
- if (kerb5_password_validate(r->connection->user, sent_pw)) {
- retcode = OK;
- }
- else {
- retcode = conf->krb_fail_status;
- }
- }
-#endif /* KRB5 && KRB4 */
-
- return retcode;
-}
+++ /dev/null
-static void *kerb_dir_config(pool *p, char *d)
-{
- static void *rec;
- rec = (void *) ap_pcalloc(p, sizeof(kerb_auth_config));
- ((kerb_auth_config *)rec)->krb_fail_status = HTTP_UNAUTHORIZED;
- ((kerb_auth_config *)rec)->krb_authoritative = 0;
- ((kerb_auth_config *)rec)->krb_auth_type = ap_pstrdup(p, "None");
- return rec;
-}
+++ /dev/null
-module MODULE_VAR_EXPORT kerb_auth_module = {
- STANDARD_MODULE_STUFF,
- NULL, /* module initializer */
- kerb_dir_config, /* per-directory config creator */
- NULL, /* per-directory config merger */
- NULL, /* per-server config creator */
- NULL, /* per-server config merger */
- kerb_auth_cmds, /* command table */
- NULL, /* [ 9] content handlers */
- NULL, /* [ 2] URI-to-filename translation */
- kerb_authenticate_user, /* [ 5] check/validate user_id */
- kerb_check_user_access, /* [ 6] check user_id is valid *here* */
- NULL, /* [ 4] check access by host address */
- NULL, /* [ 7] MIME type checker/setter */
- NULL, /* [ 8] fixups */
- NULL, /* [10] logger */
- NULL, /* [ 3] header parser */
- NULL, /* process initialization */
- NULL, /* process exit/cleanup */
- NULL /* [ 1] post read_request handling */
-#ifdef EAPI
- , /* EAPI Additions */
- NULL, /* EAPI add module */
- NULL, /* EAPI remove module */
- NULL, /* EAPI rewrite command */
- NULL /* EAPI new connection */
-#endif /* EAPI */
-};