From: kouril Date: Thu, 2 Feb 2006 15:35:42 +0000 (+0000) Subject: Added SSL_preauthentication option X-Git-Tag: v5.0~17 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_kerb.git;a=commitdiff_plain;h=4d19deb987125bd037657838ff05c5fd52fb553c Added SSL_preauthentication option --- diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c index de9bfa7..64a0a12 100644 --- a/src/mod_auth_kerb.c +++ b/src/mod_auth_kerb.c @@ -154,6 +154,7 @@ typedef struct { const char *krb_service_name; int krb_authoritative; int krb_delegate_basic; + int krb_ssl_preauthentication; #ifdef KRB5 char *krb_5_keytab; int krb_method_gssapi; @@ -206,6 +207,9 @@ static const command_rec kerb_auth_cmds[] = { command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic, FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."), + command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication, + FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."), + #ifdef KRB5 command("Krb5Keytab", ap_set_file_slot, krb_5_keytab, TAKE1, "Location of Kerberos V5 keytab file."), @@ -304,6 +308,7 @@ static void *kerb_dir_create_config(MK_POOL *p, char *d) ((kerb_auth_config *)rec)->krb_service_name = NULL; ((kerb_auth_config *)rec)->krb_authoritative = 1; ((kerb_auth_config *)rec)->krb_delegate_basic = 0; + ((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0; #ifdef KRB5 ((kerb_auth_config *)rec)->krb_method_k5pass = 1; ((kerb_auth_config *)rec)->krb_method_gssapi = 1; @@ -1482,6 +1487,14 @@ kerb_authenticate_user(request_rec *r) else return DECLINED; + if (conf->krb_ssl_preauthentication) { + const char *ssl_client_verify = ssl_var_lookup(r->pool, r->server, + r->connection, r, "SSL_CLIENT_VERIFY"); + + if (ssl_client_verify && strcmp(ssl_client_verify, "SUCCESS") == 0) + return OK; + } + /* get what the user sent us in the HTTP header */ auth_line = MK_TABLE_GET(r->headers_in, (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authorization"