+++ /dev/null
-\r
-Add S4U2Proxy feature:\r
-\r
-https://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help\r
-\r
-The attached patches add support for using s4u2proxy \r
-(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the \r
-web service to obtain credentials on behalf of the authenticated user.\r
-\r
-The first patch adds basic support for s4u2proxy. This requires the web \r
-administrator to manually create and manage the credentails cache for \r
-the apache user (via a cron job, for example).\r
-\r
-The second patch builds on this and makes mod_auth_kerb manage the \r
-ccache instead.\r
-\r
-These are patches against the current CVS HEAD (mod_auth_krb 5.4).\r
-\r
-I've added a new module option to enable this support, \r
-KrbConstrainedDelegation. The default is off.\r
-\r
---- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500\r
-+++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500\r
-@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be \r
- credential cache that will be available for the request handler. The ticket\r
- file will be removed after request is handled.\r
- \r
-+Constrained Delegation\r
-+----------------------\r
-+S4U2Proxy, or constrained delegation, enables a service to use a client's\r
-+ticket to itself to request another ticket for delegation. The KDC\r
-+checks krbAllowedToDelegateTo to decide if it will issue a new ticket.\r
-+If KrbConstrainedDelegation is enabled the server will use its own credentials\r
-+to retrieve a delegated ticket for the user. For this to work the user must\r
-+have a forwardable ticket (though the delegation flag need not be set).\r
-+The server needs a valid credentials cache for this to work.\r
-+\r
-+The module itself will obtain and manage the necessary credentials.\r
-+\r
- $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $\r
-diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c\r
---- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500\r
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500\r
-@@ -42,6 +42,31 @@\r
- * POSSIBILITY OF SUCH DAMAGE.\r
- */\r
- \r
-+/*\r
-+ * Locking mechanism inspired by mod_rewrite.\r
-+ *\r
-+ * Licensed to the Apache Software Foundation (ASF) under one or more\r
-+ * contributor license agreements. See the NOTICE file distributed with\r
-+ * this work for additional information regarding copyright ownership.\r
-+ * The ASF licenses this file to You under the Apache License, Version 2.0\r
-+ * (the "License"); you may not use this file except in compliance with\r
-+ * the License. You may obtain a copy of the License at\r
-+ *\r
-+ * http://www.apache.org/licenses/LICENSE-2.0\r
-+ *\r
-+ * Unless required by applicable law or agreed to in writing, software\r
-+ * distributed under the License is distributed on an "AS IS" BASIS,\r
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
-+ * See the License for the specific language governing permissions and\r
-+ * limitations under the License.\r
-+ */\r
-+\r
-+/*\r
-+ * S4U2Proxy code\r
-+ *\r
-+ * Copyright (C) 2012 Red Hat\r
-+ */\r
-+\r
- #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $"\r
- \r
- #include "config.h"\r
-@@ -49,6 +74,7 @@\r
- #include <stdlib.h>\r
- #include <stdio.h>\r
- #include <stdarg.h>\r
-+#include <unixd.h>\r
- \r
- #define MODAUTHKERB_VERSION "5.4"\r
- \r
-@@ -122,6 +148,12 @@\r
- module auth_kerb_module;\r
- #endif\r
- \r
-+#ifdef STANDARD20_MODULE_STUFF\r
-+/* s4u2proxy only supported in 2.0+ */\r
-+static const char *lockname;\r
-+static apr_global_mutex_t *s4u2proxy_lock = NULL;\r
-+#endif\r
-+\r
- /*************************************************************************** \r
- Macros To Ease Compatibility\r
- ***************************************************************************/\r
-@@ -156,6 +188,7 @@\r
- int krb_method_gssapi;\r
- int krb_method_k5pass;\r
- int krb5_do_auth_to_local;\r
-+ int krb5_s4u2proxy;\r
- #endif\r
- #ifdef KRB4\r
- char *krb_4_srvtab;\r
-@@ -176,6 +209,11 @@\r
- \r
- static const char*\r
- krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg);\r
-+static const char *\r
-+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1);\r
-+\r
-+static int\r
-+obtain_server_credentials(request_rec *r, const char *service_name);\r
- \r
- #ifdef STANDARD20_MODULE_STUFF\r
- #define command(name, func, var, type, usage) \\r
-@@ -228,6 +266,12 @@\r
- \r
- command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local,\r
- FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."),\r
-+\r
-+ command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy,\r
-+ FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."),\r
-+\r
-+ AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL,\r
-+ RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"),\r
- #endif \r
- \r
- #ifdef KRB4\r
-@@ -293,6 +337,7 @@\r
- #endif\r
- #ifdef KRB5\r
- ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0;\r
-+ ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0;\r
- ((kerb_auth_config *)rec)->krb_method_k5pass = 1;\r
- ((kerb_auth_config *)rec)->krb_method_gssapi = 1;\r
- #endif\r
-@@ -310,6 +355,24 @@\r
- return NULL;\r
- }\r
- \r
-+static const char *\r
-+cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1)\r
-+{\r
-+ const char *error;\r
-+\r
-+ if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)\r
-+ return error;\r
-+\r
-+ /* fixup the path, especially for s4u2proxylock_remove() */\r
-+ lockname = ap_server_root_relative(cmd->pool, a1);\r
-+\r
-+ if (!lockname) {\r
-+ return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL);\r
-+ }\r
-+\r
-+ return NULL;\r
-+}\r
-+\r
- static void\r
- log_rerror(const char *file, int line, int level, int status,\r
- const request_rec *r, const char *fmt, ...)\r
-@@ -1161,6 +1224,7 @@\r
- gss_buffer_desc token = GSS_C_EMPTY_BUFFER;\r
- OM_uint32 major_status, minor_status, minor_status2;\r
- gss_name_t server_name = GSS_C_NO_NAME;\r
-+ gss_cred_usage_t usage = GSS_C_ACCEPT;\r
- char buf[1024];\r
- int have_server_princ;\r
- \r
-@@ -1203,10 +1267,14 @@\r
- \r
- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s",\r
- token.value);\r
-+ if (conf->krb5_s4u2proxy) {\r
-+ usage = GSS_C_BOTH;\r
-+ obtain_server_credentials(r, conf->krb_service_name);\r
-+ }\r
- gss_release_buffer(&minor_status, &token);\r
- \r
- major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,\r
-- GSS_C_NO_OID_SET, GSS_C_ACCEPT,\r
-+ GSS_C_NO_OID_SET, usage,\r
- server_creds, NULL, NULL);\r
- gss_release_name(&minor_status2, &server_name);\r
- if (GSS_ERROR(major_status)) {\r
-@@ -1248,6 +1316,305 @@\r
- }\r
- #endif\r
- \r
-+/* Renew the ticket if it will expire in under a minute */\r
-+#define RENEWAL_TIME 60\r
-+\r
-+/*\r
-+ * Services4U2Proxy lets a server prinicipal request another service\r
-+ * principal on behalf of a user. To do this the Apache service needs\r
-+ * to have its own ccache. This will ensure that the ccache has a valid\r
-+ * principal and will initialize or renew new credentials when needed.\r
-+ */\r
-+\r
-+static int\r
-+verify_server_credentials(request_rec *r,\r
-+ krb5_context kcontext,\r
-+ krb5_ccache ccache,\r
-+ krb5_principal princ,\r
-+ int *renew\r
-+)\r
-+{\r
-+ krb5_creds match_cred;\r
-+ krb5_creds creds;\r
-+ char * princ_name = NULL;\r
-+ char *tgs_princ_name = NULL;\r
-+ krb5_timestamp now;\r
-+ krb5_error_code kerr = 0;\r
-+\r
-+ *renew = 0;\r
-+\r
-+ memset (&match_cred, 0, sizeof(match_cred));\r
-+ memset (&creds, 0, sizeof(creds));\r
-+\r
-+ if (NULL == ccache || NULL == princ) {\r
-+ /* Nothing to verify */\r
-+ *renew = 1;\r
-+ goto cleanup;\r
-+ }\r
-+\r
-+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Could not unparse principal %s (%d)",\r
-+ error_message(kerr), kerr);\r
-+ goto cleanup;\r
-+ }\r
-+\r
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
-+ "Using principal %s for s4u2proxy", princ_name);\r
-+\r
-+#ifdef HEIMDAL\r
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%s@%s", KRB5_TGS_NAME,\r
-+ krb5_principal_get_realm(kcontext, princ),\r
-+ krb5_principal_get_realm(kcontext, princ));\r
-+#else\r
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,\r
-+ krb5_princ_realm(kcontext, princ)->length,\r
-+ krb5_princ_realm(kcontext, princ)->data,\r
-+ krb5_princ_realm(kcontext, princ)->length,\r
-+ krb5_princ_realm(kcontext, princ)->data);\r
-+#endif\r
-+\r
-+ if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server))) \r
-+ {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Could not parse principal %s: %s (%d)",\r
-+ tgs_princ_name, error_message(kerr), kerr);\r
-+ goto cleanup;\r
-+ }\r
-+\r
-+ match_cred.client = princ;\r
-+\r
-+ if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds)))\r
-+ {\r
-+ krb5_unparse_name(kcontext, princ, &princ_name);\r
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
-+ "Could not unparse principal %s: %s (%d)",\r
-+ princ_name, error_message(kerr), kerr);\r
-+ goto cleanup;\r
-+ }\r
-+\r
-+ if ((kerr = krb5_timeofday(kcontext, &now))) {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Could not get current time: %d (%s)",\r
-+ kerr, error_message(kerr));\r
-+ goto cleanup;\r
-+ }\r
-+\r
-+ if (now > (creds.times.endtime + RENEWAL_TIME)) {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Credentials for %s have expired or will soon "\r
-+ "expire - now %d endtime %d",\r
-+ princ_name, now, creds.times.endtime);\r
-+ *renew = 1;\r
-+ } else {\r
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
-+ "Credentials for %s will expire at "\r
-+ "%d, it is now %d", princ_name, creds.times.endtime, now);\r
-+ }\r
-+\r
-+cleanup:\r
-+ /* Closing context, ccache, etc happens elsewhere */\r
-+ if (match_cred.server) {\r
-+ krb5_free_principal(kcontext, match_cred.server);\r
-+ }\r
-+ if (creds.client) {\r
-+ krb5_free_cred_contents(kcontext, &creds);\r
-+ }\r
-+\r
-+ return kerr;\r
-+}\r
-+\r
-+static int\r
-+obtain_server_credentials(request_rec *r,\r
-+ const char *service_name)\r
-+{\r
-+ krb5_context kcontext = NULL;\r
-+ krb5_keytab keytab = NULL;\r
-+ krb5_ccache ccache = NULL;\r
-+ char * princ_name = NULL;\r
-+ char *tgs_princ_name = NULL;\r
-+ krb5_error_code kerr = 0;\r
-+ krb5_principal princ = NULL;\r
-+ krb5_creds creds;\r
-+ krb5_get_init_creds_opt gicopts;\r
-+ int renew = 0;\r
-+ apr_status_t rv = 0;\r
-+\r
-+ memset(&creds, 0, sizeof(creds));\r
-+\r
-+ if ((kerr = krb5_init_context(&kcontext))) {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr);\r
-+ goto done;\r
-+ }\r
-+\r
-+ if ((kerr = krb5_cc_default(kcontext, &ccache))) {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Could not get default Kerberos ccache: %s (%d)",\r
-+ error_message(kerr), kerr);\r
-+ goto done;\r
-+ }\r
-+\r
-+ if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) {\r
-+ char * name = NULL;\r
-+\r
-+ if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache),\r
-+ krb5_cc_get_name(kcontext, ccache))) == -1) {\r
-+ kerr = KRB5_CC_NOMEM;\r
-+ goto done;\r
-+ }\r
-+\r
-+ if (KRB5_FCC_NOFILE == kerr) {\r
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
-+ "Credentials cache %s not found, create one", name);\r
-+ krb5_cc_close(kcontext, ccache);\r
-+ ccache = NULL;\r
-+ free(name);\r
-+ } else {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Failure to open credentials cache %s: %s (%d)",\r
-+ name, error_message(kerr), kerr);\r
-+ free(name);\r
-+ goto done;\r
-+ }\r
-+ }\r
-+\r
-+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);\r
-+\r
-+ if (kerr || !renew) {\r
-+ goto done;\r
-+ }\r
-+\r
-+#ifdef STANDARD20_MODULE_STUFF\r
-+ if (s4u2proxy_lock) {\r
-+ rv = apr_global_mutex_lock(s4u2proxy_lock);\r
-+ if (rv != APR_SUCCESS) {\r
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,\r
-+ "apr_global_mutex_lock(s4u2proxy_lock) "\r
-+ "failed");\r
-+ }\r
-+ }\r
-+#endif\r
-+\r
-+ /* We have the lock, check again to be sure another process hasn't already\r
-+ * renewed the ticket.\r
-+ */\r
-+ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew);\r
-+ if (kerr || !renew) {\r
-+ goto unlock;\r
-+ }\r
-+\r
-+ if (NULL == princ) {\r
-+ princ_name = apr_psprintf(r->pool, "%s/%s",\r
-+ (service_name) ? service_name : SERVICE_NAME,\r
-+ ap_get_server_name(r));\r
-+\r
-+ if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Could not parse principal %s: %s (%d) ",\r
-+ princ_name, error_message(kerr), kerr);\r
-+ goto unlock;\r
-+ }\r
-+ } else if (NULL == princ_name) {\r
-+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {\r
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
-+ "Could not unparse principal %s: %s (%d)",\r
-+ princ_name, error_message(kerr), kerr);\r
-+ goto unlock;\r
-+ }\r
-+ }\r
-+\r
-+ if ((kerr = krb5_kt_default(kcontext, &keytab))) {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Unable to get default keytab: %s (%d)",\r
-+ error_message(kerr), kerr);\r
-+ goto unlock;\r
-+ }\r
-+\r
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
-+ "Obtaining new credentials for %s", princ_name);\r
-+ krb5_get_init_creds_opt_init(&gicopts);\r
-+ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1);\r
-+\r
-+#ifdef HEIMDAL\r
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%s@%s", KRB5_TGS_NAME,\r
-+ krb5_principal_get_realm(kcontext, princ),\r
-+ krb5_principal_get_realm(kcontext, princ));\r
-+#else\r
-+ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME,\r
-+ krb5_princ_realm(kcontext, princ)->length,\r
-+ krb5_princ_realm(kcontext, princ)->data,\r
-+ krb5_princ_realm(kcontext, princ)->length,\r
-+ krb5_princ_realm(kcontext, princ)->data);\r
-+#endif\r
-+\r
-+ if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab,\r
-+ 0, tgs_princ_name, &gicopts))) {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Failed to obtain credentials for principal %s: "\r
-+ "%s (%d)", princ_name, error_message(kerr), kerr);\r
-+ goto unlock;\r
-+ }\r
-+\r
-+ krb5_kt_close(kcontext, keytab);\r
-+ keytab = NULL;\r
-+\r
-+ if (NULL == ccache) {\r
-+ if ((kerr = krb5_cc_default(kcontext, &ccache))) {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Failed to open default ccache: %s (%d)",\r
-+ error_message(kerr), kerr);\r
-+ goto unlock;\r
-+ }\r
-+ }\r
-+\r
-+ if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Failed to initialize ccache for %s: %s (%d)",\r
-+ princ_name, error_message(kerr), kerr);\r
-+ goto unlock;\r
-+ }\r
-+\r
-+ if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) {\r
-+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,\r
-+ "Failed to store %s in ccache: %s (%d)",\r
-+ princ_name, error_message(kerr), kerr);\r
-+ goto unlock;\r
-+ }\r
-+\r
-+unlock:\r
-+#ifdef STANDARD20_MODULE_STUFF\r
-+ if (s4u2proxy_lock) {\r
-+ apr_global_mutex_unlock(s4u2proxy_lock);\r
-+ if (rv != APR_SUCCESS) {\r
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,\r
-+ "apr_global_mutex_unlock(s4u2proxy_lock) "\r
-+ "failed");\r
-+ }\r
-+ }\r
-+#endif\r
-+\r
-+done:\r
-+ if (0 == kerr)\r
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
-+ "Done obtaining credentials for s4u2proxy");\r
-+ else\r
-+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,\r
-+ "Failed to obtain credentials for s4u2proxy");\r
-+\r
-+ if (creds.client) {\r
-+ krb5_free_cred_contents(kcontext, &creds);\r
-+ }\r
-+ if (ccache) {\r
-+ krb5_cc_close(kcontext, ccache);\r
-+ }\r
-+ if (kcontext) {\r
-+ krb5_free_context(kcontext);\r
-+ }\r
-+\r
-+ return kerr;\r
-+}\r
-+\r
- static int\r
- authenticate_user_gss(request_rec *r, kerb_auth_config *conf,\r
- const char *auth_line, char **negotiate_ret_value)\r
-@@ -1688,10 +2055,60 @@\r
- /*************************************************************************** \r
- Module Setup/Configuration\r
- ***************************************************************************/\r
-+#ifdef STANDARD20_MODULE_STUFF\r
-+static apr_status_t\r
-+s4u2proxylock_create(server_rec *s, apr_pool_t *p)\r
-+{\r
-+ apr_status_t rc;\r
-+\r
-+ /* only operate if a lockfile is used */\r
-+ if (lockname == NULL || *(lockname) == '\0') {\r
-+ return APR_SUCCESS;\r
-+ }\r
-+\r
-+ /* create the lockfile */\r
-+ rc = apr_global_mutex_create(&s4u2proxy_lock, lockname,\r
-+ APR_LOCK_DEFAULT, p);\r
-+ if (rc != APR_SUCCESS) {\r
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,\r
-+ "Parent could not create lock file %s", lockname);\r
-+ return rc;\r
-+ }\r
-+\r
-+#ifdef AP_NEED_SET_MUTEX_PERMS\r
-+ rc = unixd_set_global_mutex_perms(s4u2proxy_lock);\r
-+ if (rc != APR_SUCCESS) {\r
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s,\r
-+ "mod_auth_kerb: Parent could not set permissions "\r
-+ "on lock; check User and Group directives");\r
-+ return rc;\r
-+ }\r
-+#endif\r
-+\r
-+ return APR_SUCCESS;\r
-+}\r
-+\r
-+static apr_status_t\r
-+s4u2proxylock_remove(void *unused)\r
-+{\r
-+ /* only operate if a lockfile is used */\r
-+ if (lockname == NULL || *(lockname) == '\0') {\r
-+ return APR_SUCCESS;\r
-+ }\r
-+\r
-+ /* destroy the rewritelock */\r
-+ apr_global_mutex_destroy(s4u2proxy_lock);\r
-+ s4u2proxy_lock = NULL;\r
-+ lockname = NULL;\r
-+ return APR_SUCCESS;\r
-+}\r
-+#endif\r
-+\r
- #ifndef STANDARD20_MODULE_STUFF\r
- static void\r
- kerb_module_init(server_rec *dummy, pool *p)\r
- {\r
-+ apr_status_t status;\r
- #ifndef HEIMDAL\r
- /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.\r
- 1.3.x are covered by the hack overiding the replay calls */\r
-@@ -1732,6 +2149,7 @@\r
- kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,\r
- apr_pool_t *ptemp, server_rec *s)\r
- {\r
-+ apr_status_t rv;\r
- ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);\r
- #ifndef HEIMDAL\r
- /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.\r
-@@ -1739,14 +2157,41 @@\r
- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))\r
- putenv(strdup("KRB5RCACHETYPE=none"));\r
- #endif\r
-+#ifdef STANDARD20_MODULE_STUFF\r
-+ rv = s4u2proxylock_create(s, p);\r
-+ if (rv != APR_SUCCESS) {\r
-+ return HTTP_INTERNAL_SERVER_ERROR;\r
-+ }\r
-+\r
-+ apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove,\r
-+ apr_pool_cleanup_null);\r
-+#endif\r
- \r
- return OK;\r
- }\r
- \r
- static void\r
-+initialize_child(apr_pool_t *p, server_rec *s)\r
-+{\r
-+ apr_status_t rv = 0;\r
-+\r
-+#ifdef STANDARD20_MODULE_STUFF\r
-+ if (lockname != NULL && *(lockname) != '\0') {\r
-+ rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p);\r
-+ if (rv != APR_SUCCESS) {\r
-+ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,\r
-+ "mod_auth_kerb: could not init s4u2proxy_lock"\r
-+ " in child");\r
-+ }\r
-+ }\r
-+#endif\r
-+}\r
-+\r
-+static void\r
- kerb_register_hooks(apr_pool_t *p)\r
- {\r
- ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE);\r
-+ ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE);\r
- ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE);\r
- }\r
- \r
Add S4U2Proxy feature:
-https://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help
+http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help
The attached patches add support for using s4u2proxy
(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the
I've added a new module option to enable this support,
KrbConstrainedDelegation. The default is off.
+diff -up --recursive mod_auth_kerb-5.4.orig/README mod_auth_kerb-5.4/README
--- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500
-+++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500
-@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
++++ mod_auth_kerb-5.4/README 2014-01-21 13:46:21.482223432 -0500
+@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be
credential cache that will be available for the request handler. The ticket
file will be removed after request is handled.
+
+The module itself will obtain and manage the necessary credentials.
+
- $Id$
+ $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $
diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c
---- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500
-+++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500
+--- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2014-01-21 13:45:21.605538007 -0500
++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2014-01-21 13:46:46.746668762 -0500
@@ -42,6 +42,31 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+ * Copyright (C) 2012 Red Hat
+ */
+
- #ident "$Id$"
+ #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $"
#include "config.h"
@@ -49,6 +74,7 @@
server_creds, NULL, NULL);
gss_release_name(&minor_status2, &server_name);
if (GSS_ERROR(major_status)) {
-@@ -1257,6 +1325,293 @@ cmp_gss_type(gss_buffer_t token, gss_OID
+@@ -1257,6 +1325,302 @@ cmp_gss_type(gss_buffer_t token, gss_OID
}
#endif
+ }
+
+ if (NULL == princ) {
-+ princ_name = apr_psprintf(r->pool, "%s/%s",
-+ (service_name) ? service_name : SERVICE_NAME,
-+ ap_get_server_name(r));
-+
-+ if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) {
++ if (strchr(service_name, '/') != NULL)
++ kerr = krb5_parse_name(kcontext, service_name, &princ);
++ else
++ kerr = krb5_sname_to_principal(kcontext, ap_get_server_name(r),
++ (service_name) ? service_name : SERVICE_NAME,
++ KRB5_NT_SRV_HST, &princ);
++
++ if (kerr) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+ "Could not parse principal %s: %s (%d) ",
-+ princ_name, error_message(kerr), kerr);
++ "Could not parse principal: %s (%d) ",
++ error_message(kerr), kerr);
+ goto unlock;
+ }
++
++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Could not unparse principal %s: %s (%d)",
++ princ_name, error_message(kerr), kerr);
++ }
+ } else if (NULL == princ_name) {
+ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) {
+ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
static int
authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
const char *auth_line, char **negotiate_ret_value)
-@@ -1697,10 +2052,60 @@ have_rcache_type(const char *type)
+@@ -1697,10 +2061,60 @@ have_rcache_type(const char *type)
/***************************************************************************
Module Setup/Configuration
***************************************************************************/
#ifndef HEIMDAL
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
1.3.x are covered by the hack overiding the replay calls */
-@@ -1741,6 +2146,7 @@ static int
+@@ -1741,6 +2155,7 @@ static int
kerb_init_handler(apr_pool_t *p, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *s)
{
ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION);
#ifndef HEIMDAL
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
-@@ -1748,14 +2154,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo
+@@ -1748,14 +2163,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo
if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
putenv(strdup("KRB5RCACHETYPE=none"));
#endif