Fix annoying incorrect behavior with simple configuration where
GssapiAllowedMech is not used.
This commit is contained in:
parent
7b93ead5be
commit
205f999fdc
@ -1,90 +0,0 @@
|
|||||||
From 286e3dac69c3d4b32db93de1f9937f434383588f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simo Sorce <simo@redhat.com>
|
|
||||||
Date: Thu, 26 Mar 2015 16:30:56 -0400
|
|
||||||
Subject: [PATCH] Escape principal name to remove the path separator
|
|
||||||
|
|
||||||
The principla name is used as a file name, any embedded path separators
|
|
||||||
are going to cause trouble if used in the file name, so we need to escape
|
|
||||||
them away. Usee ~ as the escape chracter (~~ to escape ~ itself)
|
|
||||||
|
|
||||||
Fixes #14
|
|
||||||
---
|
|
||||||
src/mod_auth_gssapi.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++-
|
|
||||||
1 file changed, 53 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
|
|
||||||
index 4f21123a4caa56d748307055be73099cc9a63dc0..c7881bf9e149bb190ad73741250d94541abfd0e8 100644
|
|
||||||
--- a/src/mod_auth_gssapi.c
|
|
||||||
+++ b/src/mod_auth_gssapi.c
|
|
||||||
@@ -119,6 +119,48 @@ static bool mag_conn_is_https(conn_rec *c)
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static char *escape(apr_pool_t *pool, const char *name,
|
|
||||||
+ char find, const char *replace)
|
|
||||||
+{
|
|
||||||
+ char *escaped = NULL;
|
|
||||||
+ char *namecopy;
|
|
||||||
+ char *n;
|
|
||||||
+ char *p;
|
|
||||||
+
|
|
||||||
+ namecopy = apr_pstrdup(pool, name);
|
|
||||||
+ if (!namecopy) goto done;
|
|
||||||
+
|
|
||||||
+ p = strchr(namecopy, find);
|
|
||||||
+ if (!p) return namecopy;
|
|
||||||
+
|
|
||||||
+ /* first segment */
|
|
||||||
+ n = namecopy;
|
|
||||||
+ while (p) {
|
|
||||||
+ /* terminate previous segment */
|
|
||||||
+ *p = '\0';
|
|
||||||
+ if (escaped) {
|
|
||||||
+ escaped = apr_pstrcat(pool, escaped, n, replace, NULL);
|
|
||||||
+ } else {
|
|
||||||
+ escaped = apr_pstrcat(pool, n, replace, NULL);
|
|
||||||
+ }
|
|
||||||
+ if (!escaped) goto done;
|
|
||||||
+ /* move to next segment */
|
|
||||||
+ n = p + 1;
|
|
||||||
+ p = strchr(n, find);
|
|
||||||
+ }
|
|
||||||
+ /* append last segment if any */
|
|
||||||
+ if (*n) {
|
|
||||||
+ escaped = apr_pstrcat(pool, escaped, n, NULL);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ if (!escaped) {
|
|
||||||
+ ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
|
|
||||||
+ "OOM escaping name");
|
|
||||||
+ }
|
|
||||||
+ return escaped;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void mag_store_deleg_creds(request_rec *req,
|
|
||||||
char *dir, char *clientname,
|
|
||||||
gss_cred_id_t delegated_cred,
|
|
||||||
@@ -128,8 +170,18 @@ static void mag_store_deleg_creds(request_rec *req,
|
|
||||||
gss_key_value_set_desc store;
|
|
||||||
char *value;
|
|
||||||
uint32_t maj, min;
|
|
||||||
+ char *escaped;
|
|
||||||
|
|
||||||
- value = apr_psprintf(req->pool, "FILE:%s/%s", dir, clientname);
|
|
||||||
+ /* We need to escape away '/', we can't have path separators in
|
|
||||||
+ * a ccache file name */
|
|
||||||
+ /* first double escape the esacping char (~) if any */
|
|
||||||
+ escaped = escape(req->pool, clientname, '~', "~~");
|
|
||||||
+ if (!escaped) return;
|
|
||||||
+ /* then escape away the separator (/) if any */
|
|
||||||
+ escaped = escape(req->pool, escaped, '/', "~");
|
|
||||||
+ if (!escaped) return;
|
|
||||||
+
|
|
||||||
+ value = apr_psprintf(req->pool, "FILE:%s/%s", dir, escaped);
|
|
||||||
if (!value) {
|
|
||||||
ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, NULL,
|
|
||||||
"OOM storing delegated credentials");
|
|
||||||
--
|
|
||||||
2.1.0
|
|
||||||
|
|
62
0001-Fix-checks-on-allowed-mechs.patch
Normal file
62
0001-Fix-checks-on-allowed-mechs.patch
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
From 4e7967e797e5c8912a67c0de8f172bb95b5172ff Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simo Sorce <simo@redhat.com>
|
||||||
|
Date: Tue, 7 Jul 2015 13:23:57 -0400
|
||||||
|
Subject: [PATCH] Fix checks on allowed mechs
|
||||||
|
|
||||||
|
We need to check if a mech is allowed against the desired_mechs set.
|
||||||
|
Otherwise in case the admin does not explicitly specify an allowed set
|
||||||
|
then all mechs are allowed, including NTLM. This causes annoying issues
|
||||||
|
with browsers like Firefox and Chrome/ium which end up popping up an
|
||||||
|
authentication dialog if they see NTLM is supported and they have no
|
||||||
|
Kerberos tickets around.
|
||||||
|
Authentication will then simply fail because NTLM is not actually supported.
|
||||||
|
By using desired_mechs we use a list of mechanism the machine actually
|
||||||
|
has a chance to support in the default case.
|
||||||
|
|
||||||
|
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||||
|
---
|
||||||
|
src/mod_auth_gssapi.c | 12 ++++++------
|
||||||
|
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
|
||||||
|
index 6cb8d3a532370212f8fc2e708b066511575fbd7e..763b625cef106923afca753e4c3e192df24bb49e 100644
|
||||||
|
--- a/src/mod_auth_gssapi.c
|
||||||
|
+++ b/src/mod_auth_gssapi.c
|
||||||
|
@@ -292,12 +292,12 @@ static bool parse_auth_header(apr_pool_t *pool, const char **auth_header,
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static bool is_mech_allowed(struct mag_config *cfg, gss_const_OID mech)
|
||||||
|
+static bool is_mech_allowed(gss_OID_set allowed_mechs, gss_const_OID mech)
|
||||||
|
{
|
||||||
|
- if (cfg->allowed_mechs == GSS_C_NO_OID_SET) return true;
|
||||||
|
+ if (allowed_mechs == GSS_C_NO_OID_SET) return true;
|
||||||
|
|
||||||
|
- for (int i = 0; i < cfg->allowed_mechs->count; i++) {
|
||||||
|
- if (gss_oid_equal(&cfg->allowed_mechs->elements[i], mech)) {
|
||||||
|
+ for (int i = 0; i < allowed_mechs->count; i++) {
|
||||||
|
+ if (gss_oid_equal(&allowed_mechs->elements[i], mech)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -785,7 +785,7 @@ static int mag_auth(request_rec *req)
|
||||||
|
break;
|
||||||
|
|
||||||
|
case AUTH_TYPE_RAW_NTLM:
|
||||||
|
- if (!is_mech_allowed(cfg, &gss_mech_ntlmssp)) {
|
||||||
|
+ if (!is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) {
|
||||||
|
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req,
|
||||||
|
"NTLM Authentication is not allowed!");
|
||||||
|
goto done;
|
||||||
|
@@ -945,7 +945,7 @@ done:
|
||||||
|
}
|
||||||
|
} else if (ret == HTTP_UNAUTHORIZED) {
|
||||||
|
apr_table_add(req->err_headers_out, "WWW-Authenticate", "Negotiate");
|
||||||
|
- if (is_mech_allowed(cfg, &gss_mech_ntlmssp)) {
|
||||||
|
+ if (is_mech_allowed(desired_mechs, &gss_mech_ntlmssp)) {
|
||||||
|
apr_table_add(req->err_headers_out, "WWW-Authenticate", "NTLM");
|
||||||
|
}
|
||||||
|
if (cfg->use_basic_auth) {
|
||||||
|
--
|
||||||
|
2.4.2
|
||||||
|
|
@ -1,70 +0,0 @@
|
|||||||
From e5db7c1f5738c7874e73869a2f4511193f956b81 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Simo Sorce <simo@redhat.com>
|
|
||||||
Date: Mon, 30 Mar 2015 12:48:30 -0400
|
|
||||||
Subject: [PATCH] Handle authentication on subrequests
|
|
||||||
|
|
||||||
In some cases (like during directory listing) Apache will re-run the
|
|
||||||
authentication code. Many GSSAPI mechanism have replay detection so
|
|
||||||
we cannot simply rerun the accept_sec_context phase. Others require
|
|
||||||
multiple steps. When authntication has already been estalished just
|
|
||||||
implicitly consider the authentication successfully performed and
|
|
||||||
copy the user name. Otherwise fail.
|
|
||||||
If a subrequest hits a location with a different mod_auth_gssapi
|
|
||||||
configuration warn but do not error off right away.
|
|
||||||
|
|
||||||
Fixes #15
|
|
||||||
---
|
|
||||||
src/mod_auth_gssapi.c | 35 ++++++++++++++++++++++++++++++-----
|
|
||||||
1 file changed, 30 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
|
|
||||||
index c7881bf9e149bb190ad73741250d94541abfd0e8..e2331107b89734bd5da3a742a884c6a92489d5a8 100644
|
|
||||||
--- a/src/mod_auth_gssapi.c
|
|
||||||
+++ b/src/mod_auth_gssapi.c
|
|
||||||
@@ -245,13 +245,38 @@ static int mag_auth(request_rec *req)
|
|
||||||
return DECLINED;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* ignore auth for subrequests */
|
|
||||||
- if (!ap_is_initial_req(req)) {
|
|
||||||
- return OK;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
|
|
||||||
|
|
||||||
+ /* implicit auth for subrequests if main auth already happened */
|
|
||||||
+ if (!ap_is_initial_req(req)) {
|
|
||||||
+ type = ap_auth_type(req->main);
|
|
||||||
+ if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) {
|
|
||||||
+ /* warn if the subrequest location and the main request
|
|
||||||
+ * location have different configs */
|
|
||||||
+ if (cfg != ap_get_module_config(req->main->per_dir_config,
|
|
||||||
+ &auth_gssapi_module)) {
|
|
||||||
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0,
|
|
||||||
+ req, "Subrequest authentication bypass on "
|
|
||||||
+ "location with different configuration!");
|
|
||||||
+ }
|
|
||||||
+ if (req->main->user) {
|
|
||||||
+ req->user = apr_pstrdup(req->pool, req->main->user);
|
|
||||||
+ return OK;
|
|
||||||
+ } else {
|
|
||||||
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
|
|
||||||
+ "The main request is tasked to establish the "
|
|
||||||
+ "security context, can't proceed!");
|
|
||||||
+ return HTTP_UNAUTHORIZED;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req,
|
|
||||||
+ "Subrequest GSSAPI auth with no auth on the main "
|
|
||||||
+ "request. This operation may fail if other "
|
|
||||||
+ "subrequests already established a context or the "
|
|
||||||
+ "mechanism requires multiple roundtrips.");
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (cfg->ssl_only) {
|
|
||||||
if (!mag_conn_is_https(req->connection)) {
|
|
||||||
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
|
|
||||||
--
|
|
||||||
2.1.0
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
Name: mod_auth_gssapi
|
Name: mod_auth_gssapi
|
||||||
Version: 1.3.0
|
Version: 1.3.0
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: A GSSAPI Authentication module for Apache
|
Summary: A GSSAPI Authentication module for Apache
|
||||||
|
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
@ -13,6 +13,7 @@ BuildRequires: gssntlmssp-devel
|
|||||||
Requires: httpd-mmn = %{_httpd_mmn}
|
Requires: httpd-mmn = %{_httpd_mmn}
|
||||||
Requires: krb5-libs >= 1.11.5
|
Requires: krb5-libs >= 1.11.5
|
||||||
|
|
||||||
|
Patch01: 0001-Fix-checks-on-allowed-mechs.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
The mod_auth_gssapi module is an authentication service that implements the
|
The mod_auth_gssapi module is an authentication service that implements the
|
||||||
@ -20,6 +21,7 @@ SPNEGO based HTTP Authentication protocol defined in RFC4559.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch01 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export APXS=%{_httpd_apxs}
|
export APXS=%{_httpd_apxs}
|
||||||
@ -44,6 +46,10 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
|
|||||||
%{_httpd_moddir}/mod_auth_gssapi.so
|
%{_httpd_moddir}/mod_auth_gssapi.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 7 2015 Simo Sorce <simo@redhat.com> 1.3.0-2
|
||||||
|
- Fix annoying incorrect behavior with simple configuration where
|
||||||
|
GssapiAllowedMech is not used.
|
||||||
|
|
||||||
* Sat Jul 4 2015 Simo Sorce <simo@redhat.com> 1.3.0-1
|
* Sat Jul 4 2015 Simo Sorce <simo@redhat.com> 1.3.0-1
|
||||||
- US Independence Day Release
|
- US Independence Day Release
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user