Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP2
cups.30568
cups-2.2.7-web-ui-kerberos-authentication.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File cups-2.2.7-web-ui-kerberos-authentication.patch of Package cups.30568
From c53e227ad30ab8d8dc53ce495969ae2f9f343770 Mon Sep 17 00:00:00 2001 From: Michael R Sweet <michael.r.sweet@gmail.com> Date: Wed, 11 Apr 2018 13:10:24 -0400 Subject: [PATCH 1/5] Fix a parsing bug in the new authentication code. (cherry picked from commit 44cb0dd233921557c0db586072b2bcb46ca8a16f) --- cups/auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cups/auth.c b/cups/auth.c index 4c38c9bb3..effbd159b 100644 --- a/cups/auth.c +++ b/cups/auth.c @@ -218,7 +218,7 @@ cupsDoAuthentication( if (!cg->lang_default) cg->lang_default = cupsLangDefault(); - if (cups_auth_param(scheme, "username", default_username, sizeof(default_username))) + if (cups_auth_param(schemedata, "username", default_username, sizeof(default_username))) cupsSetUser(default_username); snprintf(prompt, sizeof(prompt), _cupsLangString(cg->lang_default, _("Password for %s on %s? ")), cupsUser(), http->hostname[0] == '/' ? "localhost" : http->hostname); @@ -801,7 +801,7 @@ cups_auth_scheme(const char *www_authenticate, /* I - Pointer into WWW-Authentic * Parse the scheme name or param="value" string... */ - for (sptr = scheme, start = www_authenticate, param = 0; *www_authenticate && !isspace(*www_authenticate & 255); www_authenticate ++) + for (sptr = scheme, start = www_authenticate, param = 0; *www_authenticate && *www_authenticate != ',' && !isspace(*www_authenticate & 255); www_authenticate ++) { if (*www_authenticate == '=') param = 1; -- 2.29.2 From 4103b5d826e317741282a229f72350b571db292b Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Mon, 26 Oct 2020 17:35:22 +0100 Subject: [PATCH 2/5] Avoid infinite loop in admin.cgi when negotiate is used SetAuthorizationString with NULL argument sets an empty string. Related: #5596 Signed-off-by: Samuel Cabrero <scabrero@suse.de> --- cups/auth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cups/auth.c b/cups/auth.c index effbd159b..3785e6d13 100644 --- a/cups/auth.c +++ b/cups/auth.c @@ -387,7 +387,7 @@ cupsDoAuthentication( } } - if (http->authstring) + if (http->authstring && http->authstring[0]) { DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\"", http->authstring)); -- 2.29.2 From b5a3a71b1db62024cb46a9edefdaaf8ce42c2891 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Tue, 27 Oct 2020 16:11:41 +0100 Subject: [PATCH 3/5] Add cups_is_local_connection() to check if connection is to localhost Related: #5596 Signed-off-by: Samuel Cabrero <scabrero@suse.de> --- cups/auth.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/cups/auth.c b/cups/auth.c index 3785e6d13..ca90f3592 100644 --- a/cups/auth.c +++ b/cups/auth.c @@ -97,6 +97,7 @@ static void cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status, # define cups_gss_printf(major, minor, message) # endif /* DEBUG */ #endif /* HAVE_GSSAPI */ +static int cups_is_local_connection(http_t *http); static int cups_local_auth(http_t *http); @@ -1000,6 +1001,14 @@ cups_gss_printf(OM_uint32 major_status,/* I - Major status code */ # endif /* DEBUG */ #endif /* HAVE_GSSAPI */ +static int /* O - 0 if not a local connection */ + /* 1 if local connection */ +cups_is_local_connection(http_t *http) /* I - HTTP connection to server */ +{ + if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0) + return 0; + return 1; +} /* * 'cups_local_auth()' - Get the local authorization certificate if @@ -1042,7 +1051,7 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ * See if we are accessing localhost... */ - if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0) + if (!cups_is_local_connection(http)) { DEBUG_puts("8cups_local_auth: Not a local connection!"); return (1); -- 2.29.2 From b7e0e1ad62c03a45fd15a74fcd9c5ce65c773d5f Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Tue, 27 Oct 2020 16:23:30 +0100 Subject: [PATCH 4/5] Try local kerberos ccache credentials only for remote servers If connecting to localhost then proceed to ask the client for the authorization using cupsGetPassword2. The get password callback will return 401 to the client with WWW-Authenticate: Negotiate. Fixes: #5596 Signed-off-by: Samuel Cabrero <scabrero@suse.de> --- cups/auth.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/cups/auth.c b/cups/auth.c index ca90f3592..3218919ce 100644 --- a/cups/auth.c +++ b/cups/auth.c @@ -182,10 +182,10 @@ cupsDoAuthentication( */ #ifdef HAVE_GSSAPI - if (!_cups_strcasecmp(scheme, "Negotiate")) + if (!_cups_strcasecmp(scheme, "Negotiate") && !cups_is_local_connection(http)) { /* - * Kerberos authentication... + * Kerberos authentication to remote server... */ if (_cupsSetNegotiateAuthString(http, method, resource)) @@ -198,14 +198,16 @@ cupsDoAuthentication( } else #endif /* HAVE_GSSAPI */ - if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest")) + if (_cups_strcasecmp(scheme, "Basic") && + _cups_strcasecmp(scheme, "Digest") && + _cups_strcasecmp(scheme, "Negotiate")) continue; /* Not supported (yet) */ /* * See if we should retry the current username:password... */ - if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest")))) + if (http->digest_tries > 1 || !http->userpass[0]) { /* * Nope - get a new password from the user... -- 2.29.2 From 2cab166b55726b55054367e26e7832418ae3f8f0 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <scabrero@suse.de> Date: Tue, 27 Oct 2020 16:18:03 +0100 Subject: [PATCH 5/5] Allow Local authentication for Negotiate PeerCred is also possible if address family is AF_LOCAL. This will allow the CGI programs to generate the authorization from the local certificates based on PID also when Negotiate is used for local connections: Client CGI Browser <- Remote conn -> admin.cgi <--- Localhost conn ---> Scheduler | | | + --- HTTP/POST /admin/ --> | | | + --- CUPS-Get-Devices ------------> | | | | | | <-- 401 Unauthorized --------------+ | | WWW-Authenticate: | | | Negotiate, (PeerCred,) Local | | | | | <-- 401 Unauthorized -----+ | | WWW-Authenticate: | | | Negotiate | | | | | | --- HTTP/POST /admin/ --> | | | Authorization: + --- IPP CUPS-GetDevices ---------> | | Negotiate | Authorization: Local <cert> | | | | Fixes: #5596 Signed-off-by: Samuel Cabrero <scabrero@suse.de> --- cups/auth.c | 4 ---- scheduler/client.c | 10 ++-------- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/cups/auth.c b/cups/auth.c index 3218919ce..299dc6d51 100644 --- a/cups/auth.c +++ b/cups/auth.c @@ -1128,10 +1128,6 @@ cups_local_auth(http_t *http) /* I - HTTP connection to server */ } # endif /* HAVE_AUTHORIZATION_H */ -# ifdef HAVE_GSSAPI - if (cups_auth_find(www_auth, "Negotiate")) - return (1); -# endif /* HAVE_GSSAPI */ # ifdef HAVE_AUTHORIZATION_H if (cups_auth_find(www_auth, "AuthRef")) return (1); diff --git a/scheduler/client.c b/scheduler/client.c index c36c1d24d..f9200e874 100644 --- a/scheduler/client.c +++ b/scheduler/client.c @@ -2353,19 +2353,13 @@ cupsdSendHeader( strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str)); else if (auth_type == CUPSD_AUTH_NEGOTIATE) { -#ifdef AF_LOCAL - if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL) - strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str)); - else -#endif /* AF_LOCAL */ strlcpy(auth_str, "Negotiate", sizeof(auth_str)); } - if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && - !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost")) + if (con->best && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost")) { /* - * Add a "trc" (try root certification) parameter for local non-Kerberos + * Add a "trc" (try root certification) parameter for local * requests when the request requires system group membership - then the * client knows the root certificate can/should be used. * -- 2.29.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor