diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8f8debf --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/mod_auth_kerb-5.4.tar.gz diff --git a/.mod_auth_kerb.metadata b/.mod_auth_kerb.metadata new file mode 100644 index 0000000..81e46da --- /dev/null +++ b/.mod_auth_kerb.metadata @@ -0,0 +1 @@ +22673081419bc2e98789fe2f998968c0cf10c2d4 SOURCES/mod_auth_kerb-5.4.tar.gz diff --git a/SOURCES/LICENSE.ASL b/SOURCES/LICENSE.ASL new file mode 100644 index 0000000..261eeb9 --- /dev/null +++ b/SOURCES/LICENSE.ASL @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/SOURCES/auth_kerb.conf b/SOURCES/auth_kerb.conf new file mode 100644 index 0000000..b593270 --- /dev/null +++ b/SOURCES/auth_kerb.conf @@ -0,0 +1,25 @@ +# +# The mod_auth_kerb module implements Kerberos authentication over +# HTTP, following the "Negotiate" protocol. +# + +LoadModule auth_kerb_module modules/mod_auth_kerb.so + +# +# Sample configuration: Kerberos authentication must only be +# used over SSL to prevent replay attacks. The keytab file +# configured must be readable only by the "apache" user, and +# must contain service keys for "HTTP/www.example.com", where +# "www.example.com" is the FQDN of this server. +# + +# +# SSLRequireSSL +# AuthType Kerberos +# AuthName "Kerberos Login" +# KrbMethodNegotiate On +# KrbMethodK5Passwd Off +# KrbAuthRealms EXAMPLE.COM +# Krb5KeyTab /etc/httpd/conf/keytab +# require valid-user +# diff --git a/SOURCES/mod_auth_kerb-5.4-cachedir.patch b/SOURCES/mod_auth_kerb-5.4-cachedir.patch new file mode 100644 index 0000000..ebc4358 --- /dev/null +++ b/SOURCES/mod_auth_kerb-5.4-cachedir.patch @@ -0,0 +1,15 @@ + +Per https://bugzilla.redhat.com//show_bug.cgi?id=796430 +switch the cache dir to be relative to runtimedir. + +--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.cachedir ++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c +@@ -891,7 +891,7 @@ create_krb5_ccache(krb5_context kcontext + int ret; + krb5_ccache tmp_ccache = NULL; + +- ccname = apr_psprintf(r->connection->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); ++ ccname = apr_pstrdup(r->connection->pool, "FILE:/run/httpd/krbcache/krb5cc_apache_XXXXXX"); + fd = mkstemp(ccname + strlen("FILE:")); + if (fd < 0) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, diff --git a/SOURCES/mod_auth_kerb-5.4-delegation.patch b/SOURCES/mod_auth_kerb-5.4-delegation.patch new file mode 100644 index 0000000..a01e9f2 --- /dev/null +++ b/SOURCES/mod_auth_kerb-5.4-delegation.patch @@ -0,0 +1,68 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=688210 + +--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.delegation ++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c +@@ -209,6 +209,7 @@ typedef struct krb5_conn_data { + char *authline; + char *user; + char *mech; ++ char *ccname; + int last_return; + } krb5_conn_data; + +@@ -875,7 +876,7 @@ create_krb5_ccache(krb5_context kcontext + int ret; + krb5_ccache tmp_ccache = NULL; + +- ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); ++ ccname = apr_psprintf(r->connection->pool, "FILE:%s/krb5cc_apache_XXXXXX", P_tmpdir); + fd = mkstemp(ccname + strlen("FILE:")); + if (fd < 0) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, +@@ -905,7 +906,7 @@ create_krb5_ccache(krb5_context kcontext + } + + apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname); +- apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup, ++ apr_pool_cleanup_register(r->connection->pool, ccname, krb5_cache_cleanup, + apr_pool_cleanup_null); + + *ccache = tmp_ccache; +@@ -1866,10 +1868,15 @@ already_succeeded(request_rec *r, char * + if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0) + return NULL; + +- if(conn_data) { +- if(strcmp(conn_data->authline, auth_line) == 0) { +- log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request"); +- return conn_data; ++ if(conn_data && conn_data->ccname != NULL) { ++ apr_finfo_t finfo; ++ ++ if (apr_stat(&finfo, conn_data->ccname + strlen("FILE:"), ++ APR_FINFO_NORM, r->pool) == APR_SUCCESS ++ && (finfo.valid & APR_FINFO_TYPE) ++ && finfo.filetype == APR_REG) { ++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "matched previous auth request"); ++ return conn_data; + } + } + return NULL; +@@ -2001,6 +2008,8 @@ kerb_authenticate_user(request_rec *r) + ret = prevauth->last_return; + MK_USER = prevauth->user; + MK_AUTH_TYPE = prevauth->mech; ++ if (prevauth->ccname) ++ apr_table_setn(r->subprocess_env, "KRB5CCNAME", prevauth->ccname); + } + + /* +@@ -2011,6 +2020,7 @@ kerb_authenticate_user(request_rec *r) + prevauth->user = apr_pstrdup(r->connection->pool, MK_USER); + prevauth->authline = apr_pstrdup(r->connection->pool, auth_line); + prevauth->mech = apr_pstrdup(r->connection->pool, auth_type); ++ prevauth->ccname = apr_pstrdup(r->connection->pool, apr_table_get(r->subprocess_env, "KRB5CCNAME")); + prevauth->last_return = ret; + snprintf(keyname, sizeof(keyname) - 1, + "mod_auth_kerb::connection::%s::%ld", diff --git a/SOURCES/mod_auth_kerb-5.4-expired.patch b/SOURCES/mod_auth_kerb-5.4-expired.patch new file mode 100644 index 0000000..4b77a49 --- /dev/null +++ b/SOURCES/mod_auth_kerb-5.4-expired.patch @@ -0,0 +1,20 @@ +diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c +index 2aab5ee..ca81878 100644 +--- a/src/mod_auth_kerb.c ++++ b/src/mod_auth_kerb.c +@@ -1744,7 +1744,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, + goto end; + } + +-#if 0 + /* This is a _Kerberos_ module so multiple authentication rounds aren't + * supported. If we wanted a generic GSS authentication we would have to do + * some magic with exporting context etc. */ +@@ -1752,7 +1751,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf, + ret = HTTP_UNAUTHORIZED; + goto end; + } +-#endif + + major_status = gss_display_name(&minor_status, client_name, &output_token, NULL); + gss_release_name(&minor_status, &client_name); diff --git a/SOURCES/mod_auth_kerb-5.4-fixes.patch b/SOURCES/mod_auth_kerb-5.4-fixes.patch new file mode 100644 index 0000000..b86be69 --- /dev/null +++ b/SOURCES/mod_auth_kerb-5.4-fixes.patch @@ -0,0 +1,40 @@ + +Compiler warning fixes. + +--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.fixes ++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c +@@ -677,7 +677,8 @@ end: + static krb5_error_code + verify_krb5_user(request_rec *r, krb5_context context, krb5_principal principal, + const char *password, krb5_principal server, +- krb5_keytab keytab, int krb_verify_kdc, char *krb_service_name, krb5_ccache *ccache) ++ krb5_keytab keytab, int krb_verify_kdc, ++ const char *krb_service_name, krb5_ccache *ccache) + { + krb5_creds creds; + krb5_get_init_creds_opt options; +@@ -1280,6 +1281,7 @@ get_gss_creds(request_rec *r, + return 0; + } + ++#ifndef GSSAPI_SUPPORTS_SPNEGO + static int + cmp_gss_type(gss_buffer_t token, gss_OID oid) + { +@@ -1306,6 +1308,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID + + return memcmp(p, oid->elements, oid->length); + } ++#endif + + static int + authenticate_user_gss(request_rec *r, kerb_auth_config *conf, +@@ -1722,7 +1725,7 @@ kerb_authenticate_user(request_rec *r) + return ret; + } + +-int ++static int + have_rcache_type(const char *type) + { + krb5_error_code ret; diff --git a/SOURCES/mod_auth_kerb-5.4-httpd24.patch b/SOURCES/mod_auth_kerb-5.4-httpd24.patch new file mode 100644 index 0000000..86c9b47 --- /dev/null +++ b/SOURCES/mod_auth_kerb-5.4-httpd24.patch @@ -0,0 +1,75 @@ + +Fixes for 2.4 API. + +--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.httpd24 ++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c +@@ -179,6 +179,16 @@ static apr_global_mutex_t *s4u2proxy_loc + #define PROXYREQ_PROXY STD_PROXY + #endif + ++#if MODULE_MAGIC_NUMBER_MAJOR >= 20100606 ++/* 2.4.x or later */ ++#define WITH_HTTPD24 1 ++#define client_ip(r) ((r)->useragent_ip) ++APLOG_USE_MODULE(auth_kerb); ++#else ++#define client_ip(r) ((r)->connection->remote_ip) ++#define ap_unixd_set_global_mutex_perms unixd_set_global_mutex_perms ++#endif ++ + /*************************************************************************** + Auth Configuration Structure + ***************************************************************************/ +@@ -383,7 +393,11 @@ cmd_delegationlock(cmd_parms *cmd, void + } + + static void +-log_rerror(const char *file, int line, int level, int status, ++log_rerror(const char *file, int line, ++#ifdef WITH_HTTPD24 ++ int module_index, ++#endif ++ int level, int status, + const request_rec *r, const char *fmt, ...) + { + char errstr[1024]; +@@ -394,7 +408,9 @@ log_rerror(const char *file, int line, i + va_end(ap); + + +-#ifdef STANDARD20_MODULE_STUFF ++#if defined(WITH_HTTPD24) ++ ap_log_rerror(file, line, module_index, level, status, r, "%s", errstr); ++#elif defined(STANDARD20_MODULE_STUFF) + ap_log_rerror(file, line, level | APLOG_NOERRNO, status, r, "%s", errstr); + #else + ap_log_rerror(file, line, level | APLOG_NOERRNO, r, "%s", errstr); +@@ -1860,8 +1876,8 @@ already_succeeded(request_rec *r, char * + char keyname[1024]; + + snprintf(keyname, sizeof(keyname) - 1, +- "mod_auth_kerb::connection::%s::%ld", r->connection->remote_ip, +- r->connection->id); ++ "mod_auth_kerb::connection::%s::%ld", client_ip(r), ++ r->connection->id); + + if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0) + return NULL; +@@ -2014,7 +2030,7 @@ kerb_authenticate_user(request_rec *r) + prevauth->last_return = ret; + snprintf(keyname, sizeof(keyname) - 1, + "mod_auth_kerb::connection::%s::%ld", +- r->connection->remote_ip, r->connection->id); ++ client_ip(r), r->connection->id); + apr_pool_userdata_set(prevauth, keyname, NULL, r->connection->pool); + } + +@@ -2073,7 +2089,7 @@ s4u2proxylock_create(server_rec *s, apr_ + } + + #ifdef AP_NEED_SET_MUTEX_PERMS +- rc = unixd_set_global_mutex_perms(s4u2proxy_lock); ++ rc = ap_unixd_set_global_mutex_perms(s4u2proxy_lock); + if (rc != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s, + "mod_auth_kerb: Parent could not set permissions " diff --git a/SOURCES/mod_auth_kerb-5.4-longuser.patch b/SOURCES/mod_auth_kerb-5.4-longuser.patch new file mode 100644 index 0000000..100fd36 --- /dev/null +++ b/SOURCES/mod_auth_kerb-5.4-longuser.patch @@ -0,0 +1,31 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=867153 + +Patch by: jkaluza + +--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.longuser ++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c +@@ -80,6 +80,7 @@ + + #define MECH_NEGOTIATE "Negotiate" + #define SERVICE_NAME "HTTP" ++#define MAX_LOCAL_USERNAME 255 + + #include + #include +@@ -1815,13 +1816,13 @@ do_krb5_an_to_ln(request_rec *r) { + krb5_get_err_text(kcontext, code)); + goto end; + } +- MK_USER_LNAME = apr_pcalloc(r->pool, strlen(MK_USER)+1); ++ MK_USER_LNAME = apr_pcalloc(r->pool, MAX_LOCAL_USERNAME+1); + if (MK_USER_LNAME == NULL) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "ap_pcalloc() failed (not enough memory)"); + goto end; + } +- code = krb5_aname_to_localname(kcontext, client, strlen(MK_USER), MK_USER_LNAME); ++ code = krb5_aname_to_localname(kcontext, client, MAX_LOCAL_USERNAME, MK_USER_LNAME); + if (code) { + if (code != KRB5_LNAME_NOTRANS) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, diff --git a/SOURCES/mod_auth_kerb-5.4-rcopshack.patch b/SOURCES/mod_auth_kerb-5.4-rcopshack.patch new file mode 100644 index 0000000..abbf4db --- /dev/null +++ b/SOURCES/mod_auth_kerb-5.4-rcopshack.patch @@ -0,0 +1,73 @@ + +Remove the Krb5 1.3.x-specific hack which mucks about with +libkrb5 internals, and shouldn't. + +--- mod_auth_kerb-5.4/src/mod_auth_kerb.c.rcopshack ++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c +@@ -285,34 +285,6 @@ mkstemp(char *template) + } + #endif + +-#if defined(KRB5) && !defined(HEIMDAL) +-/* Needed to work around problems with replay caches */ +-#include "mit-internals.h" +- +-/* This is our replacement krb5_rc_store function */ +-static krb5_error_code KRB5_LIB_FUNCTION +-mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache, +- krb5_donot_replay_internal *donot_replay) +-{ +- return 0; +-} +- +-/* And this is the operations vector for our replay cache */ +-const krb5_rc_ops_internal mod_auth_kerb_rc_ops = { +- 0, +- "dfl", +- krb5_rc_dfl_init, +- krb5_rc_dfl_recover, +- krb5_rc_dfl_destroy, +- krb5_rc_dfl_close, +- mod_auth_kerb_rc_store, +- krb5_rc_dfl_expunge, +- krb5_rc_dfl_get_span, +- krb5_rc_dfl_get_name, +- krb5_rc_dfl_resolve +-}; +-#endif +- + /*************************************************************************** + Auth Configuration Initialization + ***************************************************************************/ +@@ -1252,31 +1224,6 @@ get_gss_creds(request_rec *r, + return HTTP_INTERNAL_SERVER_ERROR; + } + +-#ifndef HEIMDAL +- /* +- * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as +- * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to +- * the replay cache. +- * This allows us to override the replay cache function vector with +- * our own one. +- * Note that this is a dirty hack to get things working and there may +- * well be unknown side-effects. +- */ +- { +- krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds; +- +- /* First we try to verify we are linked with 1.3.x to prevent from +- crashing when linked with 1.4.x */ +- if (gss_creds && (gss_creds->usage == GSS_C_ACCEPT)) { +- if (gss_creds->rcache && gss_creds->rcache->ops && +- gss_creds->rcache->ops->type && +- memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0) +- /* Override the rcache operations */ +- gss_creds->rcache->ops = &mod_auth_kerb_rc_ops; +- } +- } +-#endif +- + return 0; + } + diff --git a/SOURCES/mod_auth_kerb-5.4-s4u2proxy.patch b/SOURCES/mod_auth_kerb-5.4-s4u2proxy.patch new file mode 100644 index 0000000..031f87e --- /dev/null +++ b/SOURCES/mod_auth_kerb-5.4-s4u2proxy.patch @@ -0,0 +1,591 @@ + +Add S4U2Proxy feature: + +http://sourceforge.net/mailarchive/forum.php?thread_name=4EE665D1.3000308%40redhat.com&forum_name=modauthkerb-help + +The attached patches add support for using s4u2proxy +(http://k5wiki.kerberos.org/wiki/Projects/Services4User) to allow the +web service to obtain credentials on behalf of the authenticated user. + +The first patch adds basic support for s4u2proxy. This requires the web +administrator to manually create and manage the credentails cache for +the apache user (via a cron job, for example). + +The second patch builds on this and makes mod_auth_kerb manage the +ccache instead. + +These are patches against the current CVS HEAD (mod_auth_krb 5.4). + +I've added a new module option to enable this support, +KrbConstrainedDelegation. The default is off. + +--- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500 ++++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500 +@@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be + credential cache that will be available for the request handler. The ticket + file will be removed after request is handled. + ++Constrained Delegation ++---------------------- ++S4U2Proxy, or constrained delegation, enables a service to use a client's ++ticket to itself to request another ticket for delegation. The KDC ++checks krbAllowedToDelegateTo to decide if it will issue a new ticket. ++If KrbConstrainedDelegation is enabled the server will use its own credentials ++to retrieve a delegated ticket for the user. For this to work the user must ++have a forwardable ticket (though the delegation flag need not be set). ++The server needs a valid credentials cache for this to work. ++ ++The module itself will obtain and manage the necessary credentials. ++ + $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $ +diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c +--- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500 ++++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500 +@@ -42,6 +42,31 @@ + * POSSIBILITY OF SUCH DAMAGE. + */ + ++/* ++ * Locking mechanism inspired by mod_rewrite. ++ * ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++/* ++ * S4U2Proxy code ++ * ++ * Copyright (C) 2012 Red Hat ++ */ ++ + #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $" + + #include "config.h" +@@ -49,6 +74,7 @@ + #include + #include + #include ++#include + + #define MODAUTHKERB_VERSION "5.4" + +@@ -131,6 +157,12 @@ module AP_MODULE_DECLARE_DATA auth_kerb_ + module auth_kerb_module; + #endif + ++#ifdef STANDARD20_MODULE_STUFF ++/* s4u2proxy only supported in 2.0+ */ ++static const char *lockname; ++static apr_global_mutex_t *s4u2proxy_lock = NULL; ++#endif ++ + /*************************************************************************** + Macros To Ease Compatibility + ***************************************************************************/ +@@ -165,6 +197,7 @@ typedef struct { + int krb_method_gssapi; + int krb_method_k5pass; + int krb5_do_auth_to_local; ++ int krb5_s4u2proxy; + #endif + #ifdef KRB4 + char *krb_4_srvtab; +@@ -185,6 +218,11 @@ set_kerb_auth_headers(request_rec *r, co + + static const char* + krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg); ++static const char * ++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1); ++ ++static int ++obtain_server_credentials(request_rec *r, const char *service_name); + + #ifdef STANDARD20_MODULE_STUFF + #define command(name, func, var, type, usage) \ +@@ -237,6 +275,12 @@ static const command_rec kerb_auth_cmds[ + + command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local, + FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."), ++ ++ command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy, ++ FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."), ++ ++ AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL, ++ RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"), + #endif + + #ifdef KRB4 +@@ -302,6 +346,7 @@ static void *kerb_dir_create_config(MK_P + #endif + #ifdef KRB5 + ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0; ++ ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0; + ((kerb_auth_config *)rec)->krb_method_k5pass = 1; + ((kerb_auth_config *)rec)->krb_method_gssapi = 1; + #endif +@@ -319,6 +364,24 @@ krb5_save_realms(cmd_parms *cmd, void *v + return NULL; + } + ++static const char * ++cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1) ++{ ++ const char *error; ++ ++ if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) ++ return error; ++ ++ /* fixup the path, especially for s4u2proxylock_remove() */ ++ lockname = ap_server_root_relative(cmd->pool, a1); ++ ++ if (!lockname) { ++ return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL); ++ } ++ ++ return NULL; ++} ++ + static void + log_rerror(const char *file, int line, int level, int status, + const request_rec *r, const char *fmt, ...) +@@ -1170,6 +1233,7 @@ get_gss_creds(request_rec *r, + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; + OM_uint32 major_status, minor_status, minor_status2; + gss_name_t server_name = GSS_C_NO_NAME; ++ gss_cred_usage_t usage = GSS_C_ACCEPT; + char buf[1024]; + int have_server_princ; + +@@ -1212,10 +1276,14 @@ get_gss_creds(request_rec *r, + + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s", + token.value); ++ if (conf->krb5_s4u2proxy) { ++ usage = GSS_C_BOTH; ++ obtain_server_credentials(r, conf->krb_service_name); ++ } + gss_release_buffer(&minor_status, &token); + + major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, +- GSS_C_NO_OID_SET, GSS_C_ACCEPT, ++ GSS_C_NO_OID_SET, usage, + server_creds, NULL, NULL); + gss_release_name(&minor_status2, &server_name); + if (GSS_ERROR(major_status)) { +@@ -1257,6 +1325,293 @@ cmp_gss_type(gss_buffer_t token, gss_OID + } + #endif + ++/* Renew the ticket if it will expire in under a minute */ ++#define RENEWAL_TIME 60 ++ ++/* ++ * Services4U2Proxy lets a server prinicipal request another service ++ * principal on behalf of a user. To do this the Apache service needs ++ * to have its own ccache. This will ensure that the ccache has a valid ++ * principal and will initialize or renew new credentials when needed. ++ */ ++ ++static int ++verify_server_credentials(request_rec *r, ++ krb5_context kcontext, ++ krb5_ccache ccache, ++ krb5_principal princ, ++ int *renew ++) ++{ ++ krb5_creds match_cred; ++ krb5_creds creds; ++ char * princ_name = NULL; ++ char *tgs_princ_name = NULL; ++ krb5_timestamp now; ++ krb5_error_code kerr = 0; ++ ++ *renew = 0; ++ ++ memset (&match_cred, 0, sizeof(match_cred)); ++ memset (&creds, 0, sizeof(creds)); ++ ++ if (NULL == ccache || NULL == princ) { ++ /* Nothing to verify */ ++ *renew = 1; ++ goto cleanup; ++ } ++ ++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Could not unparse principal %s (%d)", ++ error_message(kerr), kerr); ++ goto cleanup; ++ } ++ ++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, ++ "Using principal %s for s4u2proxy", princ_name); ++ ++ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME, ++ krb5_princ_realm(kcontext, princ)->length, ++ krb5_princ_realm(kcontext, princ)->data, ++ krb5_princ_realm(kcontext, princ)->length, ++ krb5_princ_realm(kcontext, princ)->data); ++ ++ if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server))) ++ { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Could not parse principal %s: %s (%d)", ++ tgs_princ_name, error_message(kerr), kerr); ++ goto cleanup; ++ } ++ ++ match_cred.client = princ; ++ ++ if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds))) ++ { ++ krb5_unparse_name(kcontext, princ, &princ_name); ++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, ++ "Could not unparse principal %s: %s (%d)", ++ princ_name, error_message(kerr), kerr); ++ goto cleanup; ++ } ++ ++ if ((kerr = krb5_timeofday(kcontext, &now))) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Could not get current time: %d (%s)", ++ kerr, error_message(kerr)); ++ goto cleanup; ++ } ++ ++ if (now > (creds.times.endtime + RENEWAL_TIME)) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Credentials for %s have expired or will soon " ++ "expire - now %d endtime %d", ++ princ_name, now, creds.times.endtime); ++ *renew = 1; ++ } else { ++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, ++ "Credentials for %s will expire at " ++ "%d, it is now %d", princ_name, creds.times.endtime, now); ++ } ++ ++cleanup: ++ /* Closing context, ccache, etc happens elsewhere */ ++ if (match_cred.server) { ++ krb5_free_principal(kcontext, match_cred.server); ++ } ++ if (creds.client) { ++ krb5_free_cred_contents(kcontext, &creds); ++ } ++ ++ return kerr; ++} ++ ++static int ++obtain_server_credentials(request_rec *r, ++ const char *service_name) ++{ ++ krb5_context kcontext = NULL; ++ krb5_keytab keytab = NULL; ++ krb5_ccache ccache = NULL; ++ char * princ_name = NULL; ++ char *tgs_princ_name = NULL; ++ krb5_error_code kerr = 0; ++ krb5_principal princ = NULL; ++ krb5_creds creds; ++ krb5_get_init_creds_opt gicopts; ++ int renew = 0; ++ apr_status_t rv = 0; ++ ++ memset(&creds, 0, sizeof(creds)); ++ ++ if ((kerr = krb5_init_context(&kcontext))) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr); ++ goto done; ++ } ++ ++ if ((kerr = krb5_cc_default(kcontext, &ccache))) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Could not get default Kerberos ccache: %s (%d)", ++ error_message(kerr), kerr); ++ goto done; ++ } ++ ++ if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) { ++ char * name = NULL; ++ ++ if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache), ++ krb5_cc_get_name(kcontext, ccache))) == -1) { ++ kerr = KRB5_CC_NOMEM; ++ goto done; ++ } ++ ++ if (KRB5_FCC_NOFILE == kerr) { ++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, ++ "Credentials cache %s not found, create one", name); ++ krb5_cc_close(kcontext, ccache); ++ ccache = NULL; ++ free(name); ++ } else { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Failure to open credentials cache %s: %s (%d)", ++ name, error_message(kerr), kerr); ++ free(name); ++ goto done; ++ } ++ } ++ ++ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew); ++ ++ if (kerr || !renew) { ++ goto done; ++ } ++ ++#ifdef STANDARD20_MODULE_STUFF ++ if (s4u2proxy_lock) { ++ rv = apr_global_mutex_lock(s4u2proxy_lock); ++ if (rv != APR_SUCCESS) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, ++ "apr_global_mutex_lock(s4u2proxy_lock) " ++ "failed"); ++ } ++ } ++#endif ++ ++ /* We have the lock, check again to be sure another process hasn't already ++ * renewed the ticket. ++ */ ++ kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew); ++ if (kerr || !renew) { ++ goto unlock; ++ } ++ ++ if (NULL == princ) { ++ princ_name = apr_psprintf(r->pool, "%s/%s", ++ (service_name) ? service_name : SERVICE_NAME, ++ ap_get_server_name(r)); ++ ++ if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Could not parse principal %s: %s (%d) ", ++ princ_name, error_message(kerr), kerr); ++ goto unlock; ++ } ++ } else if (NULL == princ_name) { ++ if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) { ++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, ++ "Could not unparse principal %s: %s (%d)", ++ princ_name, error_message(kerr), kerr); ++ goto unlock; ++ } ++ } ++ ++ if ((kerr = krb5_kt_default(kcontext, &keytab))) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Unable to get default keytab: %s (%d)", ++ error_message(kerr), kerr); ++ goto unlock; ++ } ++ ++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, ++ "Obtaining new credentials for %s", princ_name); ++ krb5_get_init_creds_opt_init(&gicopts); ++ krb5_get_init_creds_opt_set_forwardable(&gicopts, 1); ++ ++ tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME, ++ krb5_princ_realm(kcontext, princ)->length, ++ krb5_princ_realm(kcontext, princ)->data, ++ krb5_princ_realm(kcontext, princ)->length, ++ krb5_princ_realm(kcontext, princ)->data); ++ ++ if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab, ++ 0, tgs_princ_name, &gicopts))) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Failed to obtain credentials for principal %s: " ++ "%s (%d)", princ_name, error_message(kerr), kerr); ++ goto unlock; ++ } ++ ++ krb5_kt_close(kcontext, keytab); ++ keytab = NULL; ++ ++ if (NULL == ccache) { ++ if ((kerr = krb5_cc_default(kcontext, &ccache))) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Failed to open default ccache: %s (%d)", ++ error_message(kerr), kerr); ++ goto unlock; ++ } ++ } ++ ++ if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Failed to initialize ccache for %s: %s (%d)", ++ princ_name, error_message(kerr), kerr); ++ goto unlock; ++ } ++ ++ if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Failed to store %s in ccache: %s (%d)", ++ princ_name, error_message(kerr), kerr); ++ goto unlock; ++ } ++ ++unlock: ++#ifdef STANDARD20_MODULE_STUFF ++ if (s4u2proxy_lock) { ++ apr_global_mutex_unlock(s4u2proxy_lock); ++ if (rv != APR_SUCCESS) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, ++ "apr_global_mutex_unlock(s4u2proxy_lock) " ++ "failed"); ++ } ++ } ++#endif ++ ++done: ++ if (0 == kerr) ++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, ++ "Done obtaining credentials for s4u2proxy"); ++ else ++ log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, ++ "Failed to obtain credentials for s4u2proxy"); ++ ++ if (creds.client) { ++ krb5_free_cred_contents(kcontext, &creds); ++ } ++ if (ccache) { ++ krb5_cc_close(kcontext, ccache); ++ } ++ if (kcontext) { ++ krb5_free_context(kcontext); ++ } ++ ++ return kerr; ++} ++ + static int + authenticate_user_gss(request_rec *r, kerb_auth_config *conf, + const char *auth_line, char **negotiate_ret_value) +@@ -1697,10 +2052,60 @@ have_rcache_type(const char *type) + /*************************************************************************** + Module Setup/Configuration + ***************************************************************************/ ++#ifdef STANDARD20_MODULE_STUFF ++static apr_status_t ++s4u2proxylock_create(server_rec *s, apr_pool_t *p) ++{ ++ apr_status_t rc; ++ ++ /* only operate if a lockfile is used */ ++ if (lockname == NULL || *(lockname) == '\0') { ++ return APR_SUCCESS; ++ } ++ ++ /* create the lockfile */ ++ rc = apr_global_mutex_create(&s4u2proxy_lock, lockname, ++ APR_LOCK_DEFAULT, p); ++ if (rc != APR_SUCCESS) { ++ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s, ++ "Parent could not create lock file %s", lockname); ++ return rc; ++ } ++ ++#ifdef AP_NEED_SET_MUTEX_PERMS ++ rc = unixd_set_global_mutex_perms(s4u2proxy_lock); ++ if (rc != APR_SUCCESS) { ++ ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s, ++ "mod_auth_kerb: Parent could not set permissions " ++ "on lock; check User and Group directives"); ++ return rc; ++ } ++#endif ++ ++ return APR_SUCCESS; ++} ++ ++static apr_status_t ++s4u2proxylock_remove(void *unused) ++{ ++ /* only operate if a lockfile is used */ ++ if (lockname == NULL || *(lockname) == '\0') { ++ return APR_SUCCESS; ++ } ++ ++ /* destroy the rewritelock */ ++ apr_global_mutex_destroy(s4u2proxy_lock); ++ s4u2proxy_lock = NULL; ++ lockname = NULL; ++ return APR_SUCCESS; ++} ++#endif ++ + #ifndef STANDARD20_MODULE_STUFF + static void + kerb_module_init(server_rec *dummy, pool *p) + { ++ apr_status_t status; + #ifndef HEIMDAL + /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. + 1.3.x are covered by the hack overiding the replay calls */ +@@ -1741,6 +2146,7 @@ static int + kerb_init_handler(apr_pool_t *p, apr_pool_t *plog, + apr_pool_t *ptemp, server_rec *s) + { ++ apr_status_t rv; + ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION); + #ifndef HEIMDAL + /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. +@@ -1748,14 +2154,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo + if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) + putenv(strdup("KRB5RCACHETYPE=none")); + #endif ++#ifdef STANDARD20_MODULE_STUFF ++ rv = s4u2proxylock_create(s, p); ++ if (rv != APR_SUCCESS) { ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } ++ ++ apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove, ++ apr_pool_cleanup_null); ++#endif + + return OK; + } + + static void ++initialize_child(apr_pool_t *p, server_rec *s) ++{ ++ apr_status_t rv = 0; ++ ++#ifdef STANDARD20_MODULE_STUFF ++ if (lockname != NULL && *(lockname) != '\0') { ++ rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p); ++ if (rv != APR_SUCCESS) { ++ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, ++ "mod_auth_kerb: could not init s4u2proxy_lock" ++ " in child"); ++ } ++ } ++#endif ++} ++ ++static void + kerb_register_hooks(apr_pool_t *p) + { + ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE); ++ ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE); + } + diff --git a/SPECS/mod_auth_kerb.spec b/SPECS/mod_auth_kerb.spec new file mode 100644 index 0000000..eaf9383 --- /dev/null +++ b/SPECS/mod_auth_kerb.spec @@ -0,0 +1,254 @@ +%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}} +%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo missing-httpd-devel)}} +%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}} +# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 +%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} +%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}} + +Summary: Kerberos authentication module for HTTP +Name: mod_auth_kerb +Version: 5.4 +Release: 28%{?dist} +# src/mod_auth_kerb.c is under 3-clause BSD, ASL 2.0 code is patched in (-s4u2proxy.patch) +# src/mit-internals.h contains MIT-licensed code. +License: BSD and MIT and ASL 2.0 +Group: System Environment/Daemons +URL: http://modauthkerb.sourceforge.net/ +Source0: http://downloads.sourceforge.net/modauthkerb/%{name}-%{version}.tar.gz +Source1: auth_kerb.conf +Source2: LICENSE.ASL +Patch1: mod_auth_kerb-5.4-rcopshack.patch +Patch2: mod_auth_kerb-5.4-fixes.patch +Patch3: mod_auth_kerb-5.4-s4u2proxy.patch +Patch4: mod_auth_kerb-5.4-httpd24.patch +Patch5: mod_auth_kerb-5.4-delegation.patch +Patch6: mod_auth_kerb-5.4-cachedir.patch +Patch7: mod_auth_kerb-5.4-longuser.patch +Patch8: mod_auth_kerb-5.4-expired.patch +BuildRequires: httpd-devel, krb5-devel +Requires: httpd-mmn = %{_httpd_mmn} +Requires(pre): httpd + +# Suppres auto-provides for module DSO +%{?filter_provides_in: %filter_provides_in %{_libdir}/httpd/modules/.*\.so$} +%{?filter_setup} + +%description +mod_auth_kerb is module for the Apache HTTP Server designed to +provide Kerberos authentication over HTTP. The module supports the +Negotiate authentication method, which performs full Kerberos +authentication based on ticket exchanges. + +%prep +%setup -q -n %{name}-%{version} +%patch1 -p1 -b .rcopshack +%patch2 -p1 -b .fixes +%patch3 -p1 -b .s4u2proxy +%patch4 -p1 -b .httpd24 +%patch5 -p1 -b .delegation +%patch6 -p1 -b .cachedir +%patch7 -p1 -b .longuser +%patch8 -p1 -b .expired + +%build +export APXS=%{_httpd_apxs} +%configure --without-krb4 --with-krb5=%{_prefix} +make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT +install -Dm 755 src/.libs/mod_auth_kerb.so \ + $RPM_BUILD_ROOT%{_httpd_moddir}/mod_auth_kerb.so + +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +# httpd >= 2.4.x +sed -n /^LoadModule/p %{SOURCE1} > 10-auth_kerb.conf +sed '/LoadModule/d;/Location /,/Location>/s,^#,,' %{SOURCE1} > example.conf +install -Dp -m 0644 10-auth_kerb.conf $RPM_BUILD_ROOT%{_httpd_modconfdir}/10-auth_kerb.conf +%else +# httpd <= 2.2.x +install -Dp -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_httpd_confdir}/auth_kerb.conf +%endif + +# Credentials cache +mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d +echo 'd /run/httpd/krbcache 700 apache apache' \ + > $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/httpd-krbcache.conf +mkdir -p $RPM_BUILD_ROOT/run/httpd/krbcache + +# Copy the license files here so we can include them in %doc +cp -p %{SOURCE2} . + +%files +%doc README LICENSE LICENSE.ASL +%config(noreplace) %{_httpd_modconfdir}/*.conf +%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" +%doc example.conf +%endif +%{_httpd_moddir}/*.so +%{_prefix}/lib/tmpfiles.d/httpd-krbcache.conf +%attr(0700,apache,apache) %dir /run/httpd/krbcache + +%changelog +* Fri Jan 24 2014 Daniel Mach - 5.4-28 +- Mass rebuild 2014-01-24 + +* Mon Jan 13 2014 Joe Orton - 5.4-27 +- rebuild for #1029360 + +* Fri Dec 27 2013 Daniel Mach - 5.4-26 +- Mass rebuild 2013-12-27 + +* Thu Oct 03 2013 Jan Kaluza - 5.4-25 +- don't fail with error 500 when ticket is expired and Authorization header is + provided by client (#982521) + +* Tue Jun 04 2013 Jan Kaluza - 5.4-24 +- don't truncate translated names with KrbLocalUserMapping + +* Thu Feb 14 2013 Fedora Release Engineering - 5.4-23 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Nov 15 2012 Joe Orton - 5.4-22 +- clarify licensing; clean up spec file + +* Tue Nov 13 2012 Joe Orton - 5.4-21 +- fix httpd_mmn stderr filter (thanks rcollet) + +* Tue Nov 13 2012 Joe Orton - 5.4-20 +- hide stderr if finding httpd_mmn +- package LICENSE +- filter DSO auto provides + +* Wed Aug 8 2012 Joe Orton - 5.4-19 +- add Requires(pre) for httpd to ensure apache uid exists at install time + +* Wed Aug 8 2012 Joe Orton - 5.4-18 +- move ccache to /run/httpd/ccache + +* Fri Jul 20 2012 Fedora Release Engineering - 5.4-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jun 13 2012 Joe Orton - 5.4-16 +- hard-code use of /run/user/apache for cache dir +- package /run/user/apache +- move tmpfiles drop-in to /usr/lib + +* Wed Jun 13 2012 Joe Orton - 5.4-15 +- fix segfault in cache dir fix (#796430) + +* Fri May 11 2012 Joe Orton - 5.4-14 +- add tmpfile drop-in for cred cache (#796430) +- really apply delegation fix + +* Tue May 1 2012 Joe Orton - 5.4-13 +- add delegation fix (Ben Kahn, mgbowman, #687975) + +* Tue Mar 27 2012 Joe Orton - 5.4-12 +- rebuild for httpd 2.4 + +* Fri Mar 9 2012 Joe Orton - 5.4-11 +- adapt for 2.4 API + +* Thu Mar 1 2012 Rob Crittenden - 5.4-10 +- Updated s4u2proxy patch to add missing braces around conditional. + +* Tue Jan 31 2012 Rob Crittenden - 5.4-9 +- Add support for Constrained Delegation/s4u2proxy (#767740) + +* Fri Jan 13 2012 Fedora Release Engineering - 5.4-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 5.4-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Dec 9 2010 Joe Orton - 5.4-6 +- fix build (thanks to Mike Bonnet, #599754) + +* Fri Aug 07 2009 Parag 5.4-5 +- Spec cleanup as suggested in review bug #226150 + +* Sat Jul 25 2009 Fedora Release Engineering - 5.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 5.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Dec 11 2008 Joe Orton 5.4-2 +- update to 5.4 + +* Tue Feb 19 2008 Fedora Release Engineering - 5.3-7 +- Autorebuild for GCC 4.3 + +* Tue Sep 25 2007 Joe Orton 5.3-6 +- fix configure invocation (#301181) + +* Sun Sep 2 2007 Joe Orton 5.3-5 +- rebuild for fixed 32-bit APR + +* Thu Aug 30 2007 Joe Orton 5.3-4 +- clarify License tag + +* Wed Nov 29 2006 Joe Orton 5.3-3 +- fix r->user caching (Enrico Scholz, #214207) +- update to 5.3 (CVE-2006-5989, #215443) + +* Sun Oct 01 2006 Jesse Keating - 5.1-3 +- rebuilt for unwind info generation, broken in gcc-4.1.1-21 + +* Tue Sep 19 2006 Joe Orton 5.1-2 +- update to 5.1 + +* Thu Aug 3 2006 Joe Orton 5.0-10 +- fix segfault at startup (#201145) + +* Thu Jul 20 2006 Joe Orton 5.0-9 +- add Russ Allbery's fix for disabling replay cache with krb15 + +* Wed Jul 12 2006 Jesse Keating - 5.0-8.2.2 +- rebuild + +* Fri Feb 10 2006 Jesse Keating - 5.0-8.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 5.0-8.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Mon Dec 5 2005 Joe Orton 5.0-8 +- rebuild for httpd 2.2 + +* Wed Sep 21 2005 Joe Orton 5.0-7 +- fix build without /usr/sbin in $PATH (Roozbeh Pournader, #168212) + +* Tue May 10 2005 Joe Orton 5.0-6 +- update to 5.0rc6 +- don't force CC=gcc4 + +* Fri Mar 4 2005 Joe Orton 5.0-3 +- fix build with GCC 4 +- only add "auth_kerb_module" symbol to dynamic symbol table + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu Apr 8 2004 Joe Orton 5.0-0.rc4.5 +- remove static globals +- add SSLRequireSSL + +* Mon Mar 29 2004 Joe Orton 5.0-0.rc4.3 +- support mutual authentication (Nalin Dahyabhai) +- once authentication returns COMPLETE, cache name for the duration + of the connection + +* Thu Mar 25 2004 Joe Orton 5.0-0.rc4.2 +- add example config file + +* Wed Mar 24 2004 Joe Orton 5.0-0.rc4.1 +- update to mod_auth_kerb.c from HEAD to get workaround for + "Request is a replay" errors + +* Tue Mar 23 2004 Joe Orton +- Initial build.