diff --git a/0001-Handle-authentication-on-subrequests.patch b/0001-Handle-authentication-on-subrequests.patch new file mode 100644 index 0000000..4cc6fb7 --- /dev/null +++ b/0001-Handle-authentication-on-subrequests.patch @@ -0,0 +1,70 @@ +From e5db7c1f5738c7874e73869a2f4511193f956b81 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 30 Mar 2015 12:48:30 -0400 +Subject: [PATCH] Handle authentication on subrequests + +In some cases (like during directory listing) Apache will re-run the +authentication code. Many GSSAPI mechanism have replay detection so +we cannot simply rerun the accept_sec_context phase. Others require +multiple steps. When authntication has already been estalished just +implicitly consider the authentication successfully performed and +copy the user name. Otherwise fail. +If a subrequest hits a location with a different mod_auth_gssapi +configuration warn but do not error off right away. + +Fixes #15 +--- + src/mod_auth_gssapi.c | 35 ++++++++++++++++++++++++++++++----- + 1 file changed, 30 insertions(+), 5 deletions(-) + +diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c +index c7881bf9e149bb190ad73741250d94541abfd0e8..e2331107b89734bd5da3a742a884c6a92489d5a8 100644 +--- a/src/mod_auth_gssapi.c ++++ b/src/mod_auth_gssapi.c +@@ -245,13 +245,38 @@ static int mag_auth(request_rec *req) + return DECLINED; + } + +- /* ignore auth for subrequests */ +- if (!ap_is_initial_req(req)) { +- return OK; +- } +- + cfg = ap_get_module_config(req->per_dir_config, &auth_gssapi_module); + ++ /* implicit auth for subrequests if main auth already happened */ ++ if (!ap_is_initial_req(req)) { ++ type = ap_auth_type(req->main); ++ if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) { ++ /* warn if the subrequest location and the main request ++ * location have different configs */ ++ if (cfg != ap_get_module_config(req->main->per_dir_config, ++ &auth_gssapi_module)) { ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING||APLOG_NOERRNO, 0, ++ req, "Subrequest authentication bypass on " ++ "location with different configuration!"); ++ } ++ if (req->main->user) { ++ req->user = apr_pstrdup(req->pool, req->main->user); ++ return OK; ++ } else { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, ++ "The main request is tasked to establish the " ++ "security context, can't proceed!"); ++ return HTTP_UNAUTHORIZED; ++ } ++ } else { ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, req, ++ "Subrequest GSSAPI auth with no auth on the main " ++ "request. This operation may fail if other " ++ "subrequests already established a context or the " ++ "mechanism requires multiple roundtrips."); ++ } ++ } ++ + if (cfg->ssl_only) { + if (!mag_conn_is_https(req->connection)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, 0, req, +-- +2.1.0 + diff --git a/mod_auth_gssapi.spec b/mod_auth_gssapi.spec index 4766d23..474b238 100644 --- a/mod_auth_gssapi.spec +++ b/mod_auth_gssapi.spec @@ -1,6 +1,6 @@ Name: mod_auth_gssapi Version: 1.1.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A GSSAPI Authentication module for Apache Group: System Environment/Daemons @@ -13,6 +13,7 @@ Requires: httpd-mmn = %{_httpd_mmn} Requires: krb5-libs >= 1.11.5 Patch01: 0001-Escape-principal-name-to-remove-the-path-separator.patch +Patch02: 0001-Handle-authentication-on-subrequests.patch %description The mod_auth_gssapi module is an authentication service that implements the @@ -46,6 +47,9 @@ install -m 644 10-auth_gssapi.conf %{buildroot}%{_httpd_modconfdir} %{_httpd_moddir}/mod_auth_gssapi.so %changelog +* Thu Mar 31 2015 Simo Sorce 1.1.0-3 +- Fix some authentication issues + * Thu Mar 26 2015 Simo Sorce 1.1.0-2 - Fix saving delegated credentials for SPNs