From: jadestorm Date: Mon, 8 Jul 2002 01:55:08 +0000 (+0000) Subject: Added Dual Auth support via KerberosDualV5V4 and KerberosDualV4V5. X-Git-Tag: Development-5.0.alpha1~5 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mod_auth_kerb.git;a=commitdiff_plain;h=c29714b3473d77e5d819334a4cbd724550fbe1f1 Added Dual Auth support via KerberosDualV5V4 and KerberosDualV4V5. --- diff --git a/ChangeLog b/ChangeLog index 6993552..2252875 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2002-07-07 Daniel Henninger + + * TODO: + Finished creation of TODO file and went through all submissions. + + * apache1/auth_user.c: + * apache2/auth_user.c: + Added KerberosDualV5V4 and KerberosDualV4V5 support. + 2002-05-08 Daniel Henninger * *: diff --git a/TODO b/TODO index bc2ff71..be9790f 100644 --- a/TODO +++ b/TODO @@ -1,6 +1,3 @@ -- Dual Auth Support - Try Kerberos V5 and then V4 or visa versa. - - Save Creds/Tickets Retrieve and store krbtgt and set env variable of file path. diff --git a/apache1/auth_user.c b/apache1/auth_user.c index 4205239..b6a0dbf 100644 --- a/apache1/auth_user.c +++ b/apache1/auth_user.c @@ -3,8 +3,10 @@ int kerb_authenticate_user(request_rec *r) { const char *type; /* AuthType specified */ int KerberosV5 = 0; /* Kerberos V5 check enabled */ int KerberosV4 = 0; /* Kerberos V4 check enabled */ + int KerberosV4first = 0; /* Kerberos V4 check first */ const char *sent_pw; /* Password sent by browser */ int res; /* Response holder */ + int retcode; /* Return code holder */ const char *t; /* Decoded auth_line */ const char *authtype; /* AuthType to send back to browser */ const char *auth_line = ap_table_get(r->headers_in, @@ -26,6 +28,19 @@ int kerb_authenticate_user(request_rec *r) { KerberosV4 = 1; } #endif /* KRB4 */ + +#if defined(KRB5) && defined(KRB4) + if (strncasecmp(type, "KerberosDualV5V4", 15) == 0) { + KerberosV5 = 1; + KerberosV4 = 1; + } + + if (strncasecmp(type, "KerberosDualV4V5", 15) == 0) { + KerberosV5 = 1; + KerberosV4 = 1; + KerberosV4first = 1; + } +#endif /* KRB5 && KRB4 */ } if (!KerberosV4 && !KerberosV5) { @@ -51,26 +66,40 @@ int kerb_authenticate_user(request_rec *r) { r->connection->ap_auth_type = "Kerberos"; sent_pw = ap_getword_white(r->pool, &t); + retcode = DECLINED; + #ifdef KRB5 - if (KerberosV5) { + if (KerberosV5 && !KerberosV4first && retcode != OK) { if (kerb5_password_validate(r->connection->user, sent_pw)) { - return OK; + retcode = OK; } else { - return HTTP_UNAUTHORIZED; + retcode = HTTP_UNAUTHORIZED; } } #endif /* KRB5 */ + #ifdef KRB4 - if (KerberosV4) { + if (KerberosV4 && retcode != OK) { if (kerb4_password_validate(r->connection->user, sent_pw)) { - return OK; + retcode = OK; } else { - return HTTP_UNAUTHORIZED; + retcode = HTTP_UNAUTHORIZED; } } #endif /* KRB4 */ - return DECLINED; +#if defined(KRB5) && defined(KRB4) + if (KerberosV5 && KerberosV4first && retcode != OK) { + if (kerb5_password_validate(r->connection->user, sent_pw)) { + retcode = OK; + } + else { + retcode = HTTP_UNAUTHORIZED; + } + } +#endif /* KRB5 && KRB4 */ + + return retcode; } diff --git a/apache2/auth_user.c b/apache2/auth_user.c index 7e828c9..ff3c76a 100644 --- a/apache2/auth_user.c +++ b/apache2/auth_user.c @@ -3,9 +3,11 @@ int kerb_authenticate_user(request_rec *r) { const char *type; /* AuthType specified */ int KerberosV5 = 0; /* Kerberos V5 check enabled */ int KerberosV4 = 0; /* Kerberos V4 check enabled */ + int KerberosV4first = 0; /* Kerberos V4 check first */ const char *sent_pw; /* Password sent by browser */ const char *t; /* Return value holder */ int res; /* Response holder */ + int retcode; /* Return code holder */ const char *auth_line = apr_table_get(r->headers_in, (PROXYREQ_PROXY == r->proxyreq) @@ -26,6 +28,19 @@ int kerb_authenticate_user(request_rec *r) { KerberosV4 = 1; } #endif /* KRB4 */ + +#if defined(KRB5) && defined(KRB4) + if (strncasecmp(type, "KerberosDualV5V4", 15) == 0) { + KerberosV5 = 1; + KerberosV4 = 1; + } + + if (strncasecmp(type, "KerberosDualV4V5", 15) == 0) { + KerberosV5 = 1; + KerberosV4 = 1; + KerberosV4first = 1; + } +#endif /* KRB5 && KRB4 */ } if (!KerberosV4 && !KerberosV5) { @@ -51,28 +66,43 @@ int kerb_authenticate_user(request_rec *r) { r->ap_auth_type = "Kerberos"; sent_pw = ap_getword_white(r->pool, &t); + retcode = DECLINED; + #ifdef KRB5 - if (KerberosV5) { + if (KerberosV5 && !KerberosV4first && retcode != OK) { r->ap_auth_type = "KerberosV5"; if (kerb5_password_validate(r->user, sent_pw)) { - return OK; + retcode = OK; } else { - return HTTP_UNAUTHORIZED; + retcode = HTTP_UNAUTHORIZED; } } #endif /* KRB5 */ + #ifdef KRB4 - if (KerberosV4) { + if (KerberosV4 && retcode != OK) { r->ap_auth_type = "KerberosV4"; if (kerb4_password_validate(r->user, sent_pw)) { - return OK; + retcode = OK; } else { - return HTTP_UNAUTHORIZED; + retcode = HTTP_UNAUTHORIZED; } } #endif /* KRB4 */ - return DECLINED; +#if defined(KRB5) && defined(KRB4) + if (KerberosV5 && KerberosV4first && retcode != OK) { + r->ap_auth_type = "KerberosV5"; + if (kerb5_password_validate(r->user, sent_pw)) { + retcode = OK; + } + else { + retcode = HTTP_UNAUTHORIZED; + } + } +#endif /* KRB5 && KRB4 */ + + return retcode; }