typedef struct {
char *krb_auth_realms;
int krb_save_credentials;
+ int krb_verify_kdc;
#ifdef KRB5
char *krb_5_keytab;
int krb_method_gssapi;
command("KrbSaveCredentials", ap_set_flag_slot, krb_save_credentials,
FLAG, "Save and store credentials/tickets retrieved during auth."),
+ command("KrbVerifyKDC", ap_set_flag_slot, krb_verify_kdc,
+ FLAG, "Verify tickets against keytab to prevent KDC spoofing attacks."),
+
#ifdef KRB5
command("Krb5Keytab", ap_set_file_slot, krb_5_keytab,
TAKE1, "Location of Kerberos V5 keytab file."),
kerb_auth_config *rec;
rec = (kerb_auth_config *) ap_pcalloc(p, sizeof(kerb_auth_config));
+ ((kerb_auth_config *)rec)->krb_verify_kdc = 1;
#ifdef KRB5
((kerb_auth_config *)rec)->krb_method_k5pass = 1;
((kerb_auth_config *)rec)->krb_method_gssapi = 1;
***************************************************************************/
static int
verify_krb4_user(request_rec *r, char *name, char *instance, char *realm,
- char *password, char *linstance, char *srvtab)
+ char *password, char *linstance, char *srvtab, int krb_verify_kdc)
{
int ret;
char *phost;
return ret;
}
+ if (!krb_verify_kdc)
+ return ret;
+
hostname = ap_get_server_name(r);
hp = gethostbyname(hostname);
ret = verify_krb4_user(r, (char *)sent_name,
(sent_instance) ? sent_instance : "",
(char *)realm, (char *)sent_pw, "khttp",
- conf->krb_4_srvtab);
+ conf->krb_4_srvtab, conf->krb_verify_kdc);
if (ret == 0)
break;
} while (realms && *realms);
static krb5_error_code
verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal,
krb5_ccache ccache, const char *password, const char *service,
- krb5_keytab keytab)
+ krb5_keytab keytab, int krb_verify_kdc)
{
krb5_creds creds;
krb5_principal server = NULL;
goto end;
krb5_verify_init_creds_opt_init(&opt);
- krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, 1);
+ krb5_verify_init_creds_opt_set_ap_req_nofail(&opt, krb_verify_kdc);
ret = krb5_verify_init_creds(context, &creds, server, keytab, NULL, &opt);
if (ret)
continue;
code = verify_krb5_user(r, kcontext, client, ccache, sent_pw, "khttp",
- keytab);
+ keytab, conf->krb_verify_kdc);
if (code == 0)
break;