From: jadestorm Date: Mon, 30 Jun 2003 15:01:17 +0000 (+0000) Subject: Committing what I have. See ChangeLog for the last couple of things I X-Git-Tag: v5.0-rc1~25 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_kerb.git;a=commitdiff_plain;h=575dec83227dadc563ada2d9bdc980c5b2c67f3b Committing what I have. See ChangeLog for the last couple of things I did. I wouldn't consider anything in any form of reasonable state at the moment. --- diff --git a/ChangeLog b/ChangeLog index ef1342d..6a834c0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2003-06-10 Daniel Henninger + + * src/mod_auth_kerb.c: + Reworked the AuthType-esque directives. + Made KrbAuthRealm(s) be... more correct. + +2003-06-03 Daniel Henninger + + * src/mod_auth_kerb.c: + Removed KrbDefaultRealm, replaced with KrbAuthRealms. + Working on full multi-realm support as per request 738054. + 2003-06-02 Daniel Henninger * src/mod_auth_kerb.c: diff --git a/configure.in b/configure.in index 927e41d..fc8a93e 100644 --- a/configure.in +++ b/configure.in @@ -1,15 +1,23 @@ -dnl #################### -dnl ## Initialization ## -dnl #################### +dnl Process this file with autoconf to produce a configure script. AC_INIT(Apache Kerberos Module, alpha2, modauthkerb-developers@lists.sourceforge.net, mod_auth_kerb) +AC_CANONICAL_HOST -dnl #################### -dnl ## Config Options ## -dnl #################### +dnl OS specific options. +case "$host" in +*-*-netbsd*) + need_dash_r=1 + ;; +*-*-solaris*) + need_dash_r=1 + ;; +esac + + +dnl Custom args we care about. AC_ARG_WITH(api, [ --with-api=API api to use (apache1, apache2)], [ @@ -50,18 +58,11 @@ AC_ARG_WITH(static, AC_ARG_WITH(krb5, [ --with-krb5=DIR path to Kerberos 5 install], [ - if test -d $withval ; then - CFLAGS="$CFLAGS -I$withval/include -I$withval/include/kerberosIV" - CPPFLAGS="$CPPFLAGS -I$withval/include -I$withval/include/kerberosIV" - LDFLAGS="$LDFLAGS -L$withval/lib" - - case "$host" in - *-solaris*) - LDFLAGS="$LDFLAGS -R$withval/lib" - ;; - esac - else - AC_ERROR(Specified Kerberos 5 directory doesn't exist.) + CFLAGS="$CFLAGS -I$withval/include -I$withval/include/kerberosIV" + CPPFLAGS="$CPPFLAGS -I$withval/include -I$withval/include/kerberosIV" + LDFLAGS="$LDFLAGS -L$withval/lib" + if test -n "${need_dash_r}"; then + LDFLAGS="$LDFLAGS -R$withval/lib" fi ] ) @@ -69,28 +70,17 @@ AC_ARG_WITH(krb5, AC_ARG_WITH(krb5-include, [ --with-krb5-include=DIR include path to Kerberos 5 install], [ - if test -d $withval ; then - CFLAGS="$CFLAGS -I$withval -I$withval/include/kerberosIV" - CPPFLAGS="$CPPFLAGS -I$withval -I$withval/include/kerberosIV" - else - AC_ERROR(Specified Kerberos 5 directory doesn't exist.) - fi + CFLAGS="$CFLAGS -I$withval -I$withval/kerberosIV" + CPPFLAGS="$CPPFLAGS -I$withval -I$withval/kerberosIV" ] ) AC_ARG_WITH(krb5-lib, [ --with-krb5-lib=DIR lib path to Kerberos 5 install], [ - if test -d $withval ; then - LDFLAGS="$LDFLAGS -L$withval" - - case "$host" in - *-solaris*) - LDFLAGS="$LDFLAGS -R$withval" - ;; - esac - else - AC_ERROR(Specified Kerberos 5 directory doesn't exist.) + LDFLAGS="$LDFLAGS -L$withval" + if test -n "${need_dash_r}"; then + LDFLAGS="$LDFLAGS -R$withval" fi ] ) @@ -107,18 +97,11 @@ AC_ARG_ENABLE(krb5, AC_ARG_WITH(krb4, [ --with-krb4=DIR path to Kerberos 4 install], [ - if test -d $withval ; then - CFLAGS="$CFLAGS -I$withval/include" - CPPFLAGS="$CPPFLAGS -I$withval/include" - LDFLAGS="$LDFLAGS -L$withval/lib" - - case "$host" in - *-solaris*) - LDFLAGS="$LDFLAGS -R$withval/lib" - ;; - esac - else - AC_ERROR(Specified Kerberos 4 directory doesn't exist.) + CFLAGS="$CFLAGS -I$withval/include" + CPPFLAGS="$CPPFLAGS -I$withval/include" + LDFLAGS="$LDFLAGS -L$withval/lib" + if test -n "${need_dash_r}"; then + LDFLAGS="$LDFLAGS -R$withval/lib" fi ] ) @@ -126,28 +109,17 @@ AC_ARG_WITH(krb4, AC_ARG_WITH(krb4-include, [ --with-krb4-include=DIR include path to Kerberos 4 install], [ - if test -d $withval ; then - CFLAGS="$CFLAGS -I$withval" - CPPFLAGS="$CPPFLAGS -I$withval" - else - AC_ERROR(Specified Kerberos 4 directory doesn't exist.) - fi + CFLAGS="$CFLAGS -I$withval" + CPPFLAGS="$CPPFLAGS -I$withval" ] ) AC_ARG_WITH(krb4-lib, [ --with-krb4-lib=DIR lib path to Kerberos 4 install], [ - if test -d $withval ; then - LDFLAGS="$LDFLAGS -L$withval" - - case "$host" in - *-solaris*) - LDFLAGS="$LDFLAGS -R$withval" - ;; - esac - else - AC_ERROR(Specified Kerberos 4 directory doesn't exist.) + LDFLAGS="$LDFLAGS -L$withval" + if test -n "${need_dash_r}"; then + LDFLAGS="$LDFLAGS -R$withval" fi ] ) @@ -161,11 +133,50 @@ AC_ARG_ENABLE(krb4, ], ) +AC_ARG_WITH(gssapi, +[ --with-gssapi=DIR path to GSSAPI install], +[ + CFLAGS="$CFLAGS -I$withval/include -I$withval/include/gssapi" + CPPFLAGS="$CPPFLAGS -I$withval/include -I$withval/include/gssapi" + LDFLAGS="$LDFLAGS -L$withval/lib" + if test -n "${need_dash_r}"; then + LDFLAGS="$LDFLAGS -R$withval/lib" + fi +] +) + +AC_ARG_WITH(gssapi-include, +[ --with-gssapi-include=DIR include path to GSSAPI install], +[ + CFLAGS="$CFLAGS -I$withval -I$withval/gssapi" + CPPFLAGS="$CPPFLAGS -I$withval -I$withval/gssapi" +] +) + +AC_ARG_WITH(gssapi-lib, +[ --with-gssapi-lib=DIR lib path to GSSAPI install], +[ + LDFLAGS="$LDFLAGS -L$withval" + if test -n "${need_dash_r}"; then + LDFLAGS="$LDFLAGS -R$withval" + fi +] +) + +AC_ARG_ENABLE(gssapi, +[ --disable-gssapi force disabling of gssapi support], +[ + if test "$enable_gssapi" = "no" ; then + ac_gssapi_disable="yes" + fi +] +) + + -dnl #################### -dnl ## Program Checks ## -dnl #################### +dnl Checks for programs. AC_PROG_CC +AC_PROG_MAKE_SET if test -z "$ac_static" ; then AC_PATH_PROG(APXS, apxs) if test -z "$APXS" ; then @@ -175,9 +186,7 @@ if test -z "$ac_static" ; then fi -dnl ############### -dnl ## Libraries ## -dnl ############### +dnl Checks for libraries. if test -z "$ac_krb5_disable" ; then AC_CHECK_LIB(krb5, krb5_get_in_tkt_with_password, [ ac_krb5="yes" @@ -199,7 +208,7 @@ if test -z "$ac_krb5_disable" ; then AC_CHECK_LIB(krb4, krb_get_pw_in_tkt, [ ac_krb4="yes" ac_krbdefs="$ac_krbdefs -DKRB4" - ac_krblibs="$ac_krblibs -lkrb4 $ac_krblibs" + ac_krblibs="-lkrb4 $ac_krblibs" ],, $ac_krblibs) fi fi @@ -219,9 +228,7 @@ if test -z "$ac_krb4" -a -z "$ac_krb5" ; then fi -dnl ############# -dnl ## Headers ## -dnl ############# +dnl Checks for header files. if test -n "$ac_krb5" ; then AC_CHECK_HEADERS(krb5.h, [ ac_foundkrb5="yes" @@ -251,19 +258,7 @@ if test -z "$ac_krb4" -a -z "$ac_krb5" ; then fi -dnl ############## -dnl ## Typedefs ## -dnl ############## - - -dnl ################ -dnl ## Structures ## -dnl ################ - - -dnl ############################## -dnl ## Compiler Characteristics ## -dnl ############################## +dnl Checks for typedefs, structures, and compiler characteristics. if test -z "$ac_api" ; then if test -n "`$APXS -q bindir 2> /dev/null`" ; then echo "API autodetected to be Apache 2.*" @@ -277,27 +272,16 @@ if test -z "$ac_api" ; then fi -dnl ####################### -dnl ## Library Functions ## -dnl ####################### - - -dnl ##################### -dnl ## System Services ## -dnl ##################### +dnl Checks for library functions. -dnl ########################## -dnl ## Last Minute Settings ## -dnl ########################## +dnl Last minute settings. LIBS="$LIBS $ac_krblibs" DEFS="$DEFS $ac_apidefs $ac_krbdefs" CFLAGS="$CFLAGS $DEFS" -dnl ######################### -dnl ## Create Output Files ## -dnl ######################### +dnl Create files necessary to compile mod_auth_kerb. if test "$ac_static" = "yes" ; then echo "" echo "" diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c index e15cb06..d66e3af 100644 --- a/src/mod_auth_kerb.c +++ b/src/mod_auth_kerb.c @@ -30,9 +30,12 @@ module AP_MODULE_DECLARE_DATA kerb_auth_module; #ifdef KRB5 #include -#include #endif /* KRB5 */ +#ifdef GSSAPI +#include +#endif /* GSSAPI */ + #ifdef KRB4 #include #endif /* KRB4 */ @@ -74,22 +77,29 @@ module AP_MODULE_DECLARE_DATA kerb_auth_module; Auth Configuration Structure ***************************************************************************/ typedef struct { - char *krb_auth_type; #ifdef KRB4 char *krb_4_srvtab; #endif /* KRB4 */ #ifdef KRB5 char *krb_5_keytab; #endif /* KRB5 */ + int krb_auth_enable; + char *krb_auth_realms; int krb_authoritative; - char *krb_default_realm; int krb_fail_status; char *krb_force_instance; #ifdef KRB5 int krb_forwardable; #endif /* KRB5 */ char *krb_lifetime; +#ifdef GSSAPI + int krb_method_gssapi; +#endif /* GSSAPI */ +#ifdef KRB4 + int krb_method_k4pass; +#endif /* KRB4 */ #ifdef KRB5 + int krb_method_k5pass; char *krb_renewable; #endif /* KRB5 */ int krb_save_credentials; @@ -97,6 +107,13 @@ typedef struct { char *service_name; } kerb_auth_config; + + + +/*************************************************************************** + GSSAPI Support Initialization + ***************************************************************************/ +#ifdef GSSAPI typedef struct { gss_ctx_id_t context; gss_cred_id_t server_creds; @@ -118,6 +135,8 @@ cleanup_gss_connection(void *data) if (gss_conn->server_creds != GSS_C_NO_CREDENTIAL) gss_release_cred(&minor_status, &gss_conn->server_creds); } +#endif /* GSSAPI */ + @@ -130,7 +149,19 @@ static void *kerb_dir_config(MK_POOL *p, char *d) rec = (void *) ap_pcalloc(p, sizeof(kerb_auth_config)); ((kerb_auth_config *)rec)->krb_fail_status = HTTP_UNAUTHORIZED; ((kerb_auth_config *)rec)->krb_authoritative = 0; - ((kerb_auth_config *)rec)->krb_auth_type = MK_PSTRDUP(p, "None"); +#ifdef GSSAPI + ((kerb_auth_config *)rec)->krb_method_gssapi = 0; +#endif /* GSSAPI */ +#ifdef KRB4 + ((kerb_auth_config *)rec)->krb_method_k4pass = 1; +#endif /* KRB4 */ +#ifdef KRB5 + ((kerb_auth_config *)rec)->krb_method_k5pass = 1; +#ifdef KRB4 + ((kerb_auth_config *)rec)->krb_method_k4pass = 0; +#endif /* KRB4 */ +#endif /* KRB5 */ + ((kerb_auth_config *)rec)->krb_auth_realms = ""; return rec; } @@ -155,33 +186,6 @@ static const char *kerb_set_fail_slot(cmd_parms *cmd, void *struct_ptr, return NULL; } -/* these are either char *struct_ptr, char *arg or void *struct_ptr, const char *arg */ -static const char *kerb_set_type_slot(cmd_parms *cmd, void *struct_ptr, - const char *arg) -{ - int offset = (int) (long) cmd->info; -#ifdef KRB5 - if (!strncasecmp(arg, "v5", 2)) - *(char **) ((char *)struct_ptr + offset) = MK_PSTRDUP(cmd->pool, "KerberosV5"); - else -#endif /* KRB5 */ -#ifdef KRB4 - if (!strncasecmp(arg, "v4", 2)) - *(char **) ((char *)struct_ptr + offset) = MK_PSTRDUP(cmd->pool, "KerberosV4"); - else -#endif /* KRB4 */ - if (!strncasecmp(arg, "dualv5v4", 8)) - *(char **) ((char *)struct_ptr + offset) = MK_PSTRDUP(cmd->pool, "KerberosDualV5V4"); - else if - (!strncasecmp(arg, "dualv4v5", 8)) - *(char **) ((char *)struct_ptr + offset) = MK_PSTRDUP(cmd->pool, "KerberosDualV4V5"); -#if defined(KRB4) && defined(KRB5) -#endif /* KRB4 && KRB5 */ - else - return "AuthKerberos must be V5, V4, DualV4V5, or DualV5V4."; - return NULL; -} - @@ -192,10 +196,10 @@ static const char *kerb_set_type_slot(cmd_parms *cmd, void *struct_ptr, command_rec kerb_auth_cmds[] = { { "AuthKerberos", - kerb_set_type_slot, - (void*)XtOffsetOf(kerb_auth_config, krb_auth_type), + ap_set_flag_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_auth_enable), OR_AUTHCFG, - TAKE1, + FLAG, "Permit Kerberos auth without AuthType requirement." }, @@ -231,12 +235,12 @@ command_rec kerb_auth_cmds[] = { }, { - "KrbDefaultRealm", + "KrbAuthRealm", ap_set_string_slot, - (void*)XtOffsetOf(kerb_auth_config, krb_default_realm), + (void*)XtOffsetOf(kerb_auth_config, krb_auth_realms), OR_AUTHCFG, - TAKE1, - "Default realm to authenticate users against." + ITERATE, + "Realms to attempt authentication against (can be multiple)." }, { @@ -277,8 +281,39 @@ command_rec kerb_auth_cmds[] = { "Lifetime of tickets retrieved." }, +#ifdef GSSAPI + { + "KrbMethodGSSAPI", + ap_set_flag_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_method_gssapi), + OR_AUTHCFG, + FLAG, + "Enable GSSAPI authentication." + }, +#endif /* GSSAPI */ + +#ifdef KRB4 + { + "KrbMethodK4Pass", + ap_set_flag_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_method_k4pass), + OR_AUTHCFG, + FLAG, + "Enable Kerberos V4 password authentication." + }, +#endif /* KRB4 */ + #ifdef KRB5 { + "KrbMethodK5Pass", + ap_set_flag_slot, + (void*)XtOffsetOf(kerb_auth_config, krb_method_k5pass), + OR_AUTHCFG, + FLAG, + "Enable Kerberos V5 password authentication." + }, + + { "KrbRenewable", ap_set_string_slot, (void*)XtOffsetOf(kerb_auth_config, krb_renewable), @@ -320,10 +355,10 @@ command_rec kerb_auth_cmds[] = { #else #ifdef APXS2 static const command_rec kerb_auth_cmds[] = { - AP_INIT_TAKE1( + AP_INIT_FLAG( "AuthKerberos", kerb_set_type_slot, - (void*)APR_XtOffsetOf(kerb_auth_config, krb_auth_type), + (void*)APR_XtOffsetOf(kerb_auth_config, krb_auth_enable), OR_AUTHCFG, "Permit Kerberos auth without AuthType requirement." ), @@ -356,12 +391,12 @@ static const command_rec kerb_auth_cmds[] = { "Refuse to pass request down to lower modules." ), - AP_INIT_TAKE1( - "KrbDefaultRealm", + AP_INIT_ITERATE( + "KrbAuthRealm", ap_set_string_slot, - (void*)APR_XtOffsetOf(kerb_auth_config, krb_default_realm), + (void*)APR_XtOffsetOf(kerb_auth_config, krb_auth_realms), OR_AUTHCFG, - "Default realm to authenticate users against." + "Realm to attempt authentication against (can be multiple)." ), AP_INIT_TAKE1( @@ -398,7 +433,35 @@ static const command_rec kerb_auth_cmds[] = { "Lifetime of tickets retrieved." ), +#ifdef GSSAPI + AP_INIT_FLAG( + "KrbMethodGSSAPI", + ap_set_flag_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_method_gssapi), + OR_AUTHCFG, + "Enable GSSAPI authentication." + ), +#endif /* GSSAPI */ + +#ifdef KRB4 + AP_INIT_FLAG( + "KrbMethodK4Pass", + ap_set_flag_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_method_k4pass), + OR_AUTHCFG, + "Enable Kerberos V4 password authentication." + ), +#endif /* KRB4 */ + #ifdef KRB5 + AP_INIT_FLAG( + "KrbMethodK5Pass", + ap_set_flag_slot, + (void*)APR_XtOffsetOf(kerb_auth_config, krb_method_k5pass), + OR_AUTHCFG, + "Enable Kerberos V5 password authentication." + ), + AP_INIT_TAKE1( "KrbRenewable", ap_set_string_slot, @@ -444,14 +507,18 @@ krb5_verify_user(krb5_context context, krb5_principal principal, krb5_ccache ccache, const char *password, krb5_boolean secure, const char *service) { - int problem; + int ret; + krb5_context kcontext; + krb5_principal server, client; krb5_timestamp now; krb5_creds my_creds; + krb5_flags options = 0; + krb5_principal me = NULL; krb5_data tgtname = { 0, KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME - } + }; memset((char *)&my_creds, 0, sizeof(my_creds)); my_creds.client = principal; @@ -477,7 +544,7 @@ krb5_verify_user(krb5_context context, krb5_principal principal, */ ret = krb5_get_in_tkt_with_password(kcontext, options, 0, NULL, 0, - pass, ccache, &my_creds, 0); + password, ccache, &my_creds, 0); if (ret) { return ret; } @@ -645,6 +712,7 @@ int kerb5_password_validate(request_rec *r, const char *user, const char *pass) lifetime = atoi(conf->krb_lifetime); } +/* ???? code = krb5_cc_gen_new(kcontext, &krb5_mcc_ops, &ccache); if (code) { snprintf(errstr, sizeof(errstr), "krb5_cc_gen_new(): %.100s", @@ -653,8 +721,9 @@ int kerb5_password_validate(request_rec *r, const char *user, const char *pass) ret = SERVER_ERROR; goto end; } +*/ - realms = conf->krb_default_realm; + realms = conf->krb_auth_realms; do { code = 0; if (realms) { @@ -794,6 +863,13 @@ int kerb4_password_validate(request_rec *r, const char *user, const char *pass) } #endif /* KRB4 */ + + + +/*************************************************************************** + GSSAPI Validation + ***************************************************************************/ +#ifdef GSSAPI static int get_gss_creds(request_rec *r, kerb_auth_config *conf, @@ -1013,6 +1089,9 @@ end: return ret; } +#endif /* GSSAPI */ + + /*************************************************************************** @@ -1022,9 +1101,6 @@ int kerb_authenticate_user(request_rec *r) { const char *name; /* AuthName specified */ const char *type; /* AuthType specified */ - int KerberosV5 = 0; /* Kerberos V5 check enabled */ - int KerberosV4 = 0; /* Kerberos V4 check enabled */ - int KerberosV4first = 0; /* Kerberos V4 check first */ const char *sent_pw; /* Password sent by browser */ int res; /* Response holder */ int retcode; /* Return code holder */ @@ -1040,38 +1116,8 @@ int kerb_authenticate_user(request_rec *r) type = ap_auth_type(r); - if (type != NULL) { -#ifdef KRB5 - if ((strncasecmp(type, "KerberosV5", 10) == 0) || - (strncasecmp(conf->krb_auth_type, "KerberosV5", 10) == 0)) { - KerberosV5 = 1; - } -#endif /* KRB5 */ - -#ifdef KRB4 - if ((strncasecmp(type, "KerberosV4", 10) == 0) || - (strncasecmp(conf->krb_auth_type, "KerberosV4", 10) == 0)) { - KerberosV4 = 1; - } -#endif /* KRB4 */ - -#if defined(KRB5) && defined(KRB4) - if ((strncasecmp(type, "KerberosDualV5V4", 15) == 0) || - (strncasecmp(conf->krb_auth_type, "KerberosDualV5V4", 15) == 0)) { - KerberosV5 = 1; - KerberosV4 = 1; - } - - if ((strncasecmp(type, "KerberosDualV4V5", 15) == 0) || - (strncasecmp(conf->krb_auth_type, "KerberosDualV4V5", 15) == 0)) { - KerberosV5 = 1; - KerberosV4 = 1; - KerberosV4first = 1; - } -#endif /* KRB5 && KRB4 */ - } - - if (!KerberosV4 && !KerberosV5) { + if (!conf->krb_auth_enable && + (type == NULL || (strncasecmp(type, "Kerberos", 8) != 0))) { if (conf->krb_authoritative) { return HTTP_UNAUTHORIZED; } @@ -1100,8 +1146,23 @@ int kerb_authenticate_user(request_rec *r) retcode = DECLINED; +#ifdef GSSAPI + if (conf->krb_method_gssapi && retcode != OK) { +/* + Whatever you need to do here =) + MK_AUTH_TYPE = "GSSAPI"; + if (kerb5_password_validate(r, MK_USER, sent_pw)) { + retcode = OK; + } + else { + retcode = conf->krb_fail_status; + } +*/ + } +#endif /* GSSAPI */ + #ifdef KRB5 - if (KerberosV5 && !KerberosV4first && retcode != OK) { + if (conf->krb_method_k5pass && retcode != OK) { MK_AUTH_TYPE = "KerberosV5"; if (kerb5_password_validate(r, MK_USER, sent_pw)) { retcode = OK; @@ -1114,7 +1175,7 @@ int kerb_authenticate_user(request_rec *r) #endif /* KRB5 */ #ifdef KRB4 - if (KerberosV4 && retcode != OK) { + if (conf->krb_method_k4pass && retcode != OK) { MK_AUTH_TYPE = "KerberosV4"; if (kerb4_password_validate(r, MK_USER, sent_pw)) { retcode = OK; @@ -1125,18 +1186,6 @@ int kerb_authenticate_user(request_rec *r) } #endif /* KRB4 */ -#if defined(KRB5) && defined(KRB4) - if (KerberosV5 && KerberosV4first && retcode != OK) { - MK_AUTH_TYPE = "KerberosV5"; - if (kerb5_password_validate(r, MK_USER, sent_pw)) { - retcode = OK; - } - else { - retcode = conf->krb_fail_status; - } - } -#endif /* KRB5 && KRB4 */ - if (conf->krb_authoritative && retcode == DECLINED) { return HTTP_UNAUTHORIZED; }