[modauthkerb] mod_auth_kerb, virtualhost and Firefox/Safari

Douglas E. Engert deengert at anl.gov
Tue Jun 27 13:55:11 EDT 2006 

Some comments on this approach. It appears that you are trying
to correct a fundalmental problem in the underlying Kerberos
gss implementation.

On the server/acceptor side, if the gss_acquire_cred is called
with a GSS_C_NO_NAME, (or the gss_init_sec_context is not passwd
a crede_handle) then any principal in the keytab should
be acceptable,

In the MIT krb5-1.4.1 if the call to krb5_rd_req in
accept_sec_context.c: at line 405 has the cred->princ == NULL
then the krb5_rd_req will look in the keytab for the principal
requested by the client.

We have a mod for this, see attachment, which would also allow for
a service principal in multiple realms. This mod was sent to the
Kerberos list a few years ago but never acted on by MIT. as far as I know.

Looking at the Heimdal code it looks like it will pass in NULL to krb5_rd_req
and work similiar to our mod.

Solaris 10 also appears to work like our mod as well. Its only the MIT
that does not.





Russ Allbery wrote:

> Pepijn Oomen <oomen at piprograms.com> writes:
> 
> 
>>Sounds interesting. Can you point me to where that patch is to be found? 
>>CVS, mail, patches?
> 
> 
> I mailed it to the list a few days ago, but the Sourceforge archives kind
> of suck.  Here it is again.
> 
> diff -urNad libapache-mod-auth-kerb~/README libapache-mod-auth-kerb/README
> --- libapache-mod-auth-kerb~/README	2006-03-30 17:19:51.000000000 -0800
> +++ libapache-mod-auth-kerb/README	2006-06-19 10:42:53.000000000 -0700
> @@ -67,6 +67,10 @@
>     around problems with misconfigured DNS. A corresponding key of this name
>     must be stored in the keytab.
>  
> +   Normally, you do not want to use this option.  Instead, put every key that
> +   a browser may want to use into the keytab specified by Krb5Keytab (see
> +   below), and mod_auth_kerb will try each one of them in turn.
> +
>  Krb4Srvtab /path/to/srvtab
>     This option takes one argument, specifying the path to the Kerberos V4
>     srvtab. It will simply use the "default srvtab" from Kerberos V4's
> @@ -106,11 +110,19 @@
>  needed when the Negotiate method is used. In this case the module acts as a
>  standard kerberos service (similarly to e.g. kerberized ssh or ftp servers).
>  Default name of the service key is HTTP/<fqdn_of_www_server>@REALM, another
> -name of the first instance can be set using the KrbServiceName option. The key
> -must be stored in a keytab on a local disk, the Krb5Keytab and Krb4Srvtab
> -options are used to specify the filename with the keytab. This file should be
> -only readable for the apache process and contain only the key used for www
> -authentication.
> +name of the first instance can be set using the KrbServiceName option or by
> +putting multiple keys in the keytab and letting the module try each one in
> +turn. The key must be stored in a keytab on a local disk, the Krb5Keytab and
> +Krb4Srvtab options are used to specify the filename with the keytab. This file
> +should be only readable for the apache process and contain only the key used
> +for www authentication.
> +
> +Be aware that different browsers will try different principal names. Firefox
> +will do a forward and reverse lookup of the remote IP address to canonicalize
> +the server name and then use that fully-qualified name in the principal (after
> +HTTP/). The most recent 10.4 version of Safari will instead use the fully
> +qualified server name from the URL without canonicalization. Older versions of
> +Safari may use the unqualified name of the server (after HTTP/).
>  
>  Ticket File/Credential Cache Saving
>  -----------------------------------
> diff -urNad libapache-mod-auth-kerb~/src/mod_auth_kerb.c libapache-mod-auth-kerb/src/mod_auth_kerb.c
> --- libapache-mod-auth-kerb~/src/mod_auth_kerb.c	2006-06-19 10:35:26.000000000 -0700
> +++ libapache-mod-auth-kerb/src/mod_auth_kerb.c	2006-06-19 10:37:49.000000000 -0700
> @@ -1197,6 +1197,12 @@
>  authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
>  		      const char *auth_line, char **negotiate_ret_value)
>  {
> +  krb5_context ctx;
> +  krb5_keytab keytab;
> +  krb5_kt_cursor cursor;
> +  krb5_keytab_entry entry;
> +  int k5_errno;
> +  char *principal = NULL;
>    OM_uint32 major_status, minor_status, minor_status2;
>    gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
>    gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
> @@ -1237,10 +1243,6 @@
>  #endif
>    }
>  
> -  ret = get_gss_creds(r, conf, &server_creds);
> -  if (ret)
> -     goto end;
> -
>    /* ap_getword() shifts parameter */
>    auth_param = ap_getword_white(r->pool, &auth_line);
>    if (auth_param == NULL) {
> @@ -1267,6 +1269,34 @@
>       			gss_accept_sec_context_spnego : gss_accept_sec_context;
>  #endif
>  
> +  /* We're going to try accepting the context with every different principal
> +     available in our keytab if we can.  Otherwise, we're going to fall back
> +     on just doing this once with the specified principal name.  If k5_errno
> +     is zero, we're walking through the keytab; otherwise, we're not. */
> +  k5_errno = krb5_init_context(&ctx);
> +  if (k5_errno == 0) {
> +      if (conf->krb_5_keytab)
> +          k5_errno = krb5_kt_resolve(ctx, conf->krb_5_keytab, &keytab);
> +      else
> +          k5_errno = krb5_kt_default(ctx, &keytab);
> +  }
> +  if (k5_errno == 0)
> +      k5_errno = krb5_kt_start_seq_get(ctx, keytab, &cursor);
> +
> +  /* Here's the big loop in which we try to do the authentication. */
> +  do {
> +      if (k5_errno == 0)
> +          k5_errno = krb5_kt_next_entry(ctx, keytab, &entry, &cursor);
> +      if (k5_errno == 0)
> +          k5_errno = krb5_unparse_name(ctx, entry.principal, &principal);
> +      if (k5_errno == 0)
> +          conf->krb_service_name = principal;
> +  
> +      ret = get_gss_creds(r, conf, &server_creds);
> +      if (ret)
> +          goto end;
> +
> +  /* pridat: Read client Negotiate data of length XXX, prefix YYY */
>    log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data using %s",
>  	     (accept_sec_token == gss_accept_sec_context)
>  	       ? "KRB5 GSS-API"
> @@ -1307,6 +1337,7 @@
>       gss_release_buffer(&minor_status2, &output_token);
>       set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value);
>    }
> +  } while (k5_errno == 0 && GSS_ERROR(major_status));
>  
>    if (GSS_ERROR(major_status)) {
>       if (input_token.length > 7 && memcmp(input_token.value, "NTLMSSP", 7) == 0)
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list