Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.3
apache2-mod_auth_kerb
mod_auth_kerb.apache22+.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File mod_auth_kerb.apache22+.patch of Package apache2-mod_auth_kerb
diff -rNU 20 ../mod_auth_kerb-5.4-o/src/mod_auth_kerb.c ./src/mod_auth_kerb.c --- ../mod_auth_kerb-5.4-o/src/mod_auth_kerb.c 2014-03-28 13:57:41.000000000 +0100 +++ ./src/mod_auth_kerb.c 2014-03-28 13:56:21.000000000 +0100 @@ -45,40 +45,42 @@ #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $" #include "config.h" #include <stdlib.h> #include <stdio.h> #include <stdarg.h> #define MODAUTHKERB_VERSION "5.4" #define MECH_NEGOTIATE "Negotiate" #define SERVICE_NAME "HTTP" #include <httpd.h> #include <http_config.h> #include <http_core.h> #include <http_log.h> #include <http_protocol.h> #include <http_request.h> +#include "mod_auth.h" + #ifdef STANDARD20_MODULE_STUFF #include <apr_strings.h> #include <apr_base64.h> #else #define apr_pstrdup ap_pstrdup #define apr_psprintf ap_psprintf #define apr_pstrcat ap_pstrcat #define apr_pcalloc ap_pcalloc #define apr_table_setn ap_table_setn #define apr_table_add ap_table_add #define apr_base64_decode_len ap_base64decode_len #define apr_base64_decode ap_base64decode #define apr_base64_encode_len ap_base64encode_len #define apr_base64_encode ap_base64encode #define apr_pool_cleanup_null ap_null_cleanup #define apr_pool_cleanup_register ap_register_cleanup #endif /* STANDARD20_MODULE_STUFF */ #ifdef _WIN32 #define vsnprintf _vsnprintf @@ -1819,38 +1821,199 @@ NULL, /* EAPI: rewrite_command */ NULL /* EAPI: new_connection */ #endif }; #else static int kerb_init_handler(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) { ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION); #ifndef HEIMDAL /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. 1.3.x are covered by the hack overiding the replay calls */ if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) putenv(strdup("KRB5RCACHETYPE=none")); #endif return OK; } +static authn_status authenticate_user_krb5pwd22(request_rec *r, const char *sent_name, + const char *sent_pw) +{ + const char *realms = NULL; + const char *realm = NULL; + krb5_context kcontext = NULL; + krb5_error_code code; + krb5_principal client = NULL; + krb5_principal server = NULL; + krb5_ccache ccache = NULL; + krb5_keytab keytab = NULL; + int ret; + char *name = NULL; + int all_principals_unkown; + char *p = NULL; + + kerb_auth_config *conf = + (kerb_auth_config *) ap_get_module_config(r->per_dir_config, + &auth_kerb_module); + + + code = krb5_init_context(&kcontext); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Cannot initialize Kerberos5 context (%d)", code); + return AUTH_GENERAL_ERROR; + } + + if (sent_pw == NULL || *sent_pw == '\0') { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "empty passwords are not accepted"); + ret = AUTH_DENIED; + goto end; + } + + if (conf->krb_5_keytab) + krb5_kt_resolve(kcontext, conf->krb_5_keytab, &keytab); + + if (conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL) + ret = krb5_parse_name (kcontext, conf->krb_service_name, &server); + else + ret = krb5_sname_to_principal(kcontext, ap_get_server_name(r), + (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME, + KRB5_NT_SRV_HST, &server); + + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Error parsing server name (%s): %s", + (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME, + krb5_get_err_text(kcontext, ret)); + ret = AUTH_DENIED; + goto end; + } + + code = krb5_unparse_name(kcontext, server, &name); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_unparse_name() failed: %s", + krb5_get_err_text(kcontext, code)); + ret = AUTH_DENIED; + goto end; + } + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Using %s as server principal for password verification", name); + free(name); + name = NULL; + + p = strchr(sent_name, '@'); + if (p) { + *p++ = '\0'; + if (conf->krb_auth_realms && !ap_find_token(r->pool, conf->krb_auth_realms, p)) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Specified realm `%s' not allowed by configuration", p); + ret = AUTH_DENIED; + goto end; + } + } + + realms = (p) ? p : conf->krb_auth_realms; + all_principals_unkown = 1; + do { + name = (char *) sent_name; + if (realms && (realm = ap_getword_white(r->pool, &realms))) + name = apr_psprintf(r->pool, "%s@%s", sent_name, realm); + + if (client) { + krb5_free_principal(kcontext, client); + client = NULL; + } + + code = krb5_parse_name(kcontext, name, &client); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "krb5_parse_name() failed: %s", + krb5_get_err_text(kcontext, code)); + continue; + } + + code = verify_krb5_user(r, kcontext, client, sent_pw, + server, keytab, conf->krb_verify_kdc, conf->krb_service_name, &ccache); + if (code == 0) + break; + + /* ap_getword_white() used above shifts the parameter, so it's not + needed to touch the realms variable */ + } while (realms && *realms); + + memset((char *)sent_pw, 0, strlen(sent_pw)); + + if (code) { + if (all_principals_unkown == 1 && code == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN) + ret = AUTH_USER_NOT_FOUND; + else + ret = AUTH_DENIED; + + goto end; + } + + code = krb5_unparse_name(kcontext, client, &name); + if (code) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "krb5_unparse_name() failed: %s", + krb5_get_err_text(kcontext, code)); + ret = AUTH_DENIED; + goto end; + } + MK_USER = apr_pstrdup (r->pool, name); + MK_AUTH_TYPE = "Basic"; + free(name); + + if (conf->krb_save_credentials) + store_krb5_creds(kcontext, r, conf, ccache); + + ret = AUTH_GRANTED; + +end: + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "kerb_authenticate_user_krb5pwd22 ret=%d user=%s authtype=%s", + ret, (MK_USER)?MK_USER:"(NULL)", (MK_AUTH_TYPE)?MK_AUTH_TYPE:"(NULL)"); + if (client) + krb5_free_principal(kcontext, client); + if (server) + krb5_free_principal(kcontext, server); + if (ccache) + krb5_cc_destroy(kcontext, ccache); + if (keytab) + krb5_kt_close(kcontext, keytab); + krb5_free_context(kcontext); + + return ret; + +} + +static const authn_provider authn_kerberos_provider = +{ + &authenticate_user_krb5pwd22, + NULL +}; + + + static void kerb_register_hooks(apr_pool_t *p) { ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE); + ap_register_provider(p, AUTHN_PROVIDER_GROUP, "kerberos", "0", + &authn_kerberos_provider); } module AP_MODULE_DECLARE_DATA auth_kerb_module = { STANDARD20_MODULE_STUFF, kerb_dir_create_config, /* create per-dir conf structures */ NULL, /* merge per-dir conf structures */ NULL, /* create per-server conf structures */ NULL, /* merge per-server conf structures */ kerb_auth_cmds, /* table of configuration directives */ kerb_register_hooks /* register hooks */ }; #endif
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
