rpms/mod_auth_gssapi
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix sbrequests authentication

Browse Source
This commit is contained in:
Simo Sorce 2015-03-31 17:22:15 -04:00
parent db9f42c46c
commit e4fcf291b7
2 changed files with 75 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
0001-Handle-authentication-on-subrequests.patch Normal file
View File

@ -0,0 +1,70 @@
From e5db7c1f5738c7874e73869a2f4511193f956b81 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 30 Mar 2015 12:48:30 -0400
Subject: [PATCH] Handle authentication on subrequests
In some cases (like during directory listing) Apache will re-run the
authentication code. Many GSSAPI mechanism have replay detection so
we cannot simply rerun the accept_sec_context phase. Others require
multiple steps. When authntication has already been estalished just
implicitly consider the authentication successfully performed and
copy the user name. Otherwise fail.
If a subrequest hits a location with a different mod_auth_gssapi
configuration warn but do not error off right away.
Fixes #15
---
src/mod_auth_gssapi.c | 35 ++++++++++++++++++++++++++++++-----
1 file changed, 30 insertions(+), 5 deletions(-)
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c
index c7881bf9e149bb190ad73741250d94541abfd0e8..e2331107b89734bd5da3a742a884c6a92489d5a8 100644
--- a/src/mod_auth_gssapi.c
+++ b/src/mod_auth_gssapi.c
@@ -245,13 +245,38 @@ static int mag_auth(request_rec *req)
return DECLINED;
}
- /* ignore auth for subrequests */
- if (!ap_is_initial_req(req)) {
- return OK;
- }
-
cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module);
+ /* implicit auth for subrequests if main auth already happened */
+ if (!ap_is_initial_req(req)) {
+ type = ap_auth_type(req->main);
+ if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) {
+ /* warn if the subrequest location and the main request
+ * location have different configs */
+ if (cfg != ap_get_module_config(req->main->per_dir_config,
+ &auth_gssapi_module)) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0,
+ req, "Subrequest authentication bypass on "
+ "location with different configuration!");
+ }
+ if (req->main->user) {
+ req->user = apr_pstrdup(req->pool, req->main->user);
+ return OK;
+ } else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
+ "The main request is tasked to establish the "
+ "security context, can't proceed!");
+ return HTTP_UNAUTHORIZED;
+ }
+ } else {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req,
+ "Subrequest GSSAPI auth with no auth on the main "
+ "request. This operation may fail if other "
+ "subrequests already established a context or the "
+ "mechanism requires multiple roundtrips.");
+ }
+ }
+
if (cfg->ssl_only) {
if (!mag_conn_is_https(req->connection)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req,
--
2.1.0

6
mod_auth_gssapi.spec
View File

@ -1,6 +1,6 @@
Name: mod_auth_gssapi
Version: 1.1.0
Release: 2%{?dist}
Release: 3%{?dist}
Summary: A GSSAPI Authentication module for Apache
Group: System Environment/Daemons
@ -13,6 +13,7 @@ Requires: httpd-mmn = %{_httpd_mmn}
Requires: krb5-libs >= 1.11.5
Patch01: 0001-Escape-principal-name-to-remove-the-path-separator.patch
Patch02: 0001-Handle-authentication-on-subrequests.patch
%description
The mod_auth_gssapi module is an authentication service that implements the
@ -46,6 +47,9 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir}
%{_httpd_moddir}/mod_auth_gssapi.so
%changelog
* Thu Mar 31 2015 Simo Sorce <simo@redhat.com> 1.1.0-3
- Fix some authentication issues
* Thu Mar 26 2015 Simo Sorce <simo@redhat.com> 1.1.0-2
- Fix saving delegated credentials for SPNs