File: gssapi_delegation.patch

package info (click to toggle)
libapache-mod-auth-kerb 5.4-2.4
  • links: PTS
  • area: main
  • in suites: bullseye, sid
  • size: 636 kB
  • sloc: ansic: 3,236; makefile: 92; sh: 4
file content (66 lines) | stat: -rw-r--r-- 2,551 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -190,6 +190,7 @@ typedef struct {
 	const char *krb_service_name;
 	int krb_authoritative;
 	int krb_delegate_basic;
+	int krb_append_realm;
 #if 0
 	int krb_ssl_preauthentication;
 #endif
@@ -260,6 +261,9 @@ static const command_rec kerb_auth_cmds[
    command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic,
      FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."),
 
+   command("KrbAppendRealm", ap_set_flag_slot, krb_append_realm,
+     FLAG, "Append the realm name when setting $REMOTE_USER."),
+
 #if 0
    command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication,
      FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."),
@@ -343,6 +347,7 @@ static void *kerb_dir_create_config(MK_P
 	((kerb_auth_config *)rec)->krb_service_name = NULL;
 	((kerb_auth_config *)rec)->krb_authoritative = 1;
 	((kerb_auth_config *)rec)->krb_delegate_basic = 0;
+	((kerb_auth_config *)rec)->krb_append_realm = 1;
 #if 0
 	((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0;
 #endif
@@ -561,7 +566,8 @@ authenticate_user_krb4pwd(request_rec *r
    user = apr_pstrdup(r->pool, sent_name);
    if (sent_instance)
       user = apr_pstrcat(r->pool, user, ".", sent_instance, NULL);
-   user = apr_pstrcat(r->pool, user, "@", realm, NULL);
+   if (conf->krb_append_realm)
+      user = apr_pstrcat(r->pool, user, "@", realm, NULL);
 
    MK_USER = user;
    MK_AUTH_TYPE = "Basic";
@@ -1102,6 +1108,9 @@ authenticate_user_krb5pwd(request_rec *r
    MK_AUTH_TYPE = "Basic";
    free(name);
 
+   if (!conf->krb_append_realm && (name = strchr(MK_USER, '@')))
+      *name = '\0';
+
    if (conf->krb_save_credentials)
       store_krb5_creds(kcontext, r, conf, ccache);
 
@@ -1643,6 +1652,7 @@ authenticate_user_gss(request_rec *r, ke
   gss_ctx_id_t context = GSS_C_NO_CONTEXT;
   gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
   OM_uint32 ret_flags = 0;
+  char *name = NULL;
 
   *negotiate_ret_value = "\0";
 
@@ -1775,6 +1785,9 @@ authenticate_user_gss(request_rec *r, ke
   MK_AUTH_TYPE = MECH_NEGOTIATE;
   MK_USER = apr_pstrdup(r->pool, output_token.value);
 
+  if (!conf->krb_append_realm && (name = strchr(MK_USER, '@')))
+    *name = '\0';
+
   if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
      store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);