Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Backports:SLE-15-SP6:Update
apache2-mod_auth_kerb
0107-Always-use-NONE-replay-cache-type.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0107-Always-use-NONE-replay-cache-type.patch of Package apache2-mod_auth_kerb
From: Sam Hartman <hartmans@debian.org> Date: Mon, 23 Nov 2020 09:30:22 -0500 Subject: Always use NONE replay cache type It's 2020. Any MIT Kerberos in the wild supports the none replay cache type. The previous code used an internal function to detect that replay cache type; that function is no longer available. Instead, assume it is present. An alternative would be to enable the default replay cache. It was originally disabled because of problems between Microsoft authenticators and 2004-era MIT Kerberos 1.3. That's probably a good idea. It probably closes off security attacks, although analyzing the impact of replays in cases where neither channel binding nor per-message services are used is difficult. I believe that a replay cache is not strictly necessary in the common configuration where mod-auth-kerb is used over a TLS-protected connection where the client properly verifies the TLS certificate presented by the server prior to sending a GSS token. I have elected not to enable replay cache to affect a minimal change. --- src/mod_auth_kerb.c | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c index 844ead0..979fdda 100644 --- a/src/mod_auth_kerb.c +++ b/src/mod_auth_kerb.c @@ -2091,28 +2091,6 @@ kerb_authenticate_user(request_rec *r) return ret; } -int -have_rcache_type(const char *type) -{ - krb5_error_code ret; - krb5_context context; - krb5_rcache id = NULL; - int found; - - ret = krb5_init_context(&context); - if (ret) - return 0; - - ret = krb5_rc_resolve_full(context, &id, "none:"); - found = (ret == 0); - - if (ret == 0) - krb5_rc_destroy(context, id); - krb5_free_context(context); - - return found; -} - /*************************************************************************** Module Setup/Configuration ***************************************************************************/ @@ -2173,7 +2151,7 @@ kerb_module_init(server_rec *dummy, pool *p) #ifndef HEIMDAL /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. 1.3.x are covered by the hack overiding the replay calls */ - if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) + if (getenv("KRB5RCACHETYPE") == NULL ) putenv(strdup("KRB5RCACHETYPE=none")); #endif } @@ -2215,7 +2193,7 @@ kerb_init_handler(apr_pool_t *p, apr_pool_t *plog, #ifndef HEIMDAL /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. 1.3.x are covered by the hack overiding the replay calls */ - if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) + if (getenv("KRB5RCACHETYPE") == NULL) putenv(strdup("KRB5RCACHETYPE=none")); #endif #ifdef STANDARD20_MODULE_STUFF -- 2.35.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor