Fix annoying incorrect behavior with simple configuration where

GssapiAllowedMech is not used.
This commit is contained in:
Simo Sorce 2015-07-07 13:33:53 -04:00
parent 7b93ead5be
commit 205f999fdc
4 changed files with 69 additions and 161 deletions

View File

@ -1,90 +0,0 @@
From 286e3dac69c3d4b32db93de1f9937f434383588f Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Thu, 26 Mar 2015 16:30:56 -0400
Subject: [PATCH] Escape principal name to remove the path separator
The principla name is used as a file name, any embedded path separators
are going to cause trouble if used in the file name, so we need to escape
them away. Usee ~ as the escape chracter (~~ to escape ~ itself)
Fixes #14
---
src/mod_auth_gssapi.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 53 insertions(+), 1 deletion(-)
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 4f21123a4caa56d748307055be73099cc9a63dc0..c7881bf9e149bb190ad73741250d94541abfd0e8 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -119,6 +119,48 @@ static bool mag_conn_is_https(conn_rec *c)
return false;
}
+static char *escape(apr_pool_t *pool, const char *name,
+ char find, const char *replace)
+{
+ char *escaped = NULL;
+ char *namecopy;
+ char *n;
+ char *p;
+
+ namecopy = apr_pstrdup(pool, name);
+ if (!namecopy) goto done;
+
+ p = strchr(namecopy, find);
+ if (!p) return namecopy;
+
+ /* first segment */
+ n = namecopy;
+ while (p) {
+ /* terminate previous segment */
+ *p = '\0';
+ if (escaped) {
+ escaped = apr_pstrcat(pool, escaped, n, replace, NULL);
+ } else {
+ escaped = apr_pstrcat(pool, n, replace, NULL);
+ }
+ if (!escaped) goto done;
+ /* move to next segment */
+ n = p + 1;
+ p = strchr(n, find);
+ }
+ /* append last segment if any */
+ if (*n) {
+ escaped = apr_pstrcat(pool, escaped, n, NULL);
+ }
+
+done:
+ if (!escaped) {
+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
+ "OOM escaping name");
+ }
+ return escaped;
+}
+
static void mag_store_deleg_creds(request_rec *req,
char *dir, char *clientname,
gss_cred_id_t delegated_cred,
@@ -128,8 +170,18 @@ static void mag_store_deleg_creds(request_rec *req,
gss_key_value_set_desc store;
char *value;
uint32_t maj, min;
+ char *escaped;
- value = apr_psprintf(req->pool, "FILE:%s/%s", dir, clientname);
+ /* We need to escape away '/', we can't have path separators in
+ * a ccache file name */
+ /* first double escape the esacping char (~) if any */
+ escaped = escape(req->pool, clientname, '~', "~~");
+ if (!escaped) return;
+ /* then escape away the separator (/) if any */
+ escaped = escape(req->pool, escaped, '/', "~");
+ if (!escaped) return;
+
+ value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped);
if (!value) {
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
"OOM storing delegated credentials");
--
2.1.0

View File

@ -0,0 +1,62 @@
From 4e7967e797e5c8912a67c0de8f172bb95b5172ff Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Jul 2015 13:23:57 -0400
Subject: [PATCH] Fix checks on allowed mechs
We need to check if a mech is allowed against the desired_mechs set.
Otherwise in case the admin does not explicitly specify an allowed set
then all mechs are allowed, including NTLM. This causes annoying issues
with browsers like Firefox and Chrome/ium which end up popping up an
authentication dialog if they see NTLM is supported and they have no
Kerberos tickets around.
Authentication will then simply fail because NTLM is not actually supported.
By using desired_mechs we use a list of mechanism the machine actually
has a chance to support in the default case.
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/mod_auth_gssapi.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index 6cb8d3a532370212f8fc2e708b066511575fbd7e..763b625cef106923afca753e4c3e192df24bb49e 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -292,12 +292,12 @@ static bool parse_auth_header(apr_pool_t *pool, const char **auth_header,
return true;
}
-static bool is_mech_allowed(struct mag_config *cfg, gss_const_OID mech)
+static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech)
{
- if (cfg->allowed_mechs == GSS_C_NO_OID_SET) return true;
+ if (allowed_mechs == GSS_C_NO_OID_SET) return true;
- for (int i = 0; i < cfg->allowed_mechs->count; i++) {
- if (gss_oid_equal(&cfg->allowed_mechs->elements[i], mech)) {
+ for (int i = 0; i < allowed_mechs->count; i++) {
+ if (gss_oid_equal(&allowed_mechs->elements[i], mech)) {
return true;
}
}
@@ -785,7 +785,7 @@ static int mag_auth(request_rec *req)
break;
case AUTH_TYPE_RAW_NTLM:
- if (!is_mech_allowed(cfg, &gss_mech_ntlmssp)) {
+ if (!is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,
"NTLM Authentication is not allowed!");
goto done;
@@ -945,7 +945,7 @@ done:
}
} else if (ret == HTTP_UNAUTHORIZED) {
apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate");
- if (is_mech_allowed(cfg, &gss_mech_ntlmssp)) {
+ if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) {
apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM");
}
if (cfg->use_basic_auth) {
--
2.4.2

View File

@ -1,70 +0,0 @@
From e5db7c1f5738c7874e73869a2f4511193f956b81 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 30 Mar 2015 12:48:30 -0400
Subject: [PATCH] Handle authentication on subrequests
In some cases (like during directory listing) Apache will re-run the
authentication code. Many GSSAPI mechanism have replay detection so
we cannot simply rerun the accept_sec_context phase. Others require
multiple steps. When authntication has already been estalished just
implicitly consider the authentication successfully performed and
copy the user name. Otherwise fail.
If a subrequest hits a location with a different mod_auth_gssapi
configuration warn but do not error off right away.
Fixes #15
---
src/mod_auth_gssapi.c | 35 ++++++++++++++++++++++++++++++-----
1 file changed, 30 insertions(+), 5 deletions(-)
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index c7881bf9e149bb190ad73741250d94541abfd0e8..e2331107b89734bd5da3a742a884c6a92489d5a8 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -245,13 +245,38 @@ static int mag_auth(request_rec *req)
return DECLINED;
}
- /* ignore auth for subrequests */
- if (!ap_is_initial_req(req)) {
- return OK;
- }
-
cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
+ /* implicit auth for subrequests if main auth already happened */
+ if (!ap_is_initial_req(req)) {
+ type = ap_auth_type(req->main);
+ if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) {
+ /* warn if the subrequest location and the main request
+ * location have different configs */
+ if (cfg != ap_get_module_config(req->main->per_dir_config,
+ &auth_gssapi_module)) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0,
+ req, "Subrequest authentication bypass on "
+ "location with different configuration!");
+ }
+ if (req->main->user) {
+ req->user = apr_pstrdup(req->pool, req->main->user);
+ return OK;
+ } else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+ "The main request is tasked to establish the "
+ "security context, can't proceed!");
+ return HTTP_UNAUTHORIZED;
+ }
+ } else {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req,
+ "Subrequest GSSAPI auth with no auth on the main "
+ "request. This operation may fail if other "
+ "subrequests already established a context or the "
+ "mechanism requires multiple roundtrips.");
+ }
+ }
+
if (cfg->ssl_only) {
if (!mag_conn_is_https(req->connection)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
--
2.1.0

View File

@ -1,6 +1,6 @@
Name: mod_auth_gssapi Name: mod_auth_gssapi
Version: 1.3.0 Version: 1.3.0
Release: 1%{?dist} Release: 2%{?dist}
Summary: A GSSAPI Authentication module for Apache Summary: A GSSAPI Authentication module for Apache
Group: System Environment/Daemons Group: System Environment/Daemons
@ -13,6 +13,7 @@ BuildRequires: gssntlmssp-devel
Requires: httpd-mmn = %{_httpd_mmn} Requires: httpd-mmn = %{_httpd_mmn}
Requires: krb5-libs >= 1.11.5 Requires: krb5-libs >= 1.11.5
Patch01: 0001-Fix-checks-on-allowed-mechs.patch
%description %description
The mod_auth_gssapi module is an authentication service that implements the The mod_auth_gssapi module is an authentication service that implements the
@ -20,6 +21,7 @@ SPNEGO based HTTP Authentication protocol defined in RFC4559.
%prep %prep
%setup -q %setup -q
%patch01 -p1
%build %build
export APXS=%{_httpd_apxs} export APXS=%{_httpd_apxs}
@ -44,6 +46,10 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
%{_httpd_moddir}/mod_auth_gssapi.so %{_httpd_moddir}/mod_auth_gssapi.so
%changelog %changelog
* Tue Jul 7 2015 Simo Sorce <simo@redhat.com> 1.3.0-2
- Fix annoying incorrect behavior with simple configuration where
GssapiAllowedMech is not used.
* Sat Jul 4 2015 Simo Sorce <simo@redhat.com> 1.3.0-1 * Sat Jul 4 2015 Simo Sorce <simo@redhat.com> 1.3.0-1
- US Independence Day Release - US Independence Day Release