Skip to content

Cleanup s4u2proxy in mag_auth_basic #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
iboukris wants to merge 1 commit into from
Closed

Cleanup s4u2proxy in mag_auth_basic #72

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions README
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,9 @@ This options requires GssapiDelegCcacheDir to be set. The ccache will be
populated with the user's provided ticket which is later used as evidence
ticket by the application.

**Note:** This flag has no effect when Basic-Auth is used since user's
credentials are delegated anyway when GssapiDelegCcacheDir is set.

#### Example
GssapiUseS4U2Proxy On
GssapiCredStore keytab:/etc/httpd.keytab
Expand Down
22 changes: 4 additions & 18 deletions src/mod_auth_gssapi.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,7 +362,6 @@ static bool mag_auth_basic(request_rec *req,
struct mag_config *cfg,
gss_buffer_desc ba_user,
gss_buffer_desc ba_pwd,
gss_cred_usage_t cred_usage,
gss_name_t *client,
gss_OID *mech_type,
gss_cred_id_t *delegated_cred,
Expand All @@ -380,7 +379,6 @@ static bool mag_auth_basic(request_rec *req,
gss_name_t server = GSS_C_NO_NAME;
gss_cred_id_t server_cred = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t server_ctx = GSS_C_NO_CONTEXT;
gss_cred_id_t acquired_cred = GSS_C_NO_CREDENTIAL;
gss_buffer_desc input = GSS_C_EMPTY_BUFFER;
gss_buffer_desc output = GSS_C_EMPTY_BUFFER;
gss_OID_set allowed_mechs;
Expand Down Expand Up @@ -494,20 +492,10 @@ static bool mag_auth_basic(request_rec *req,

/* must acquire creds based on the actual mechs we want to try */
if (!mag_acquire_creds(req, cfg, actual_mechs,
cred_usage, &acquired_cred, NULL)) {
GSS_C_ACCEPT, &server_cred, NULL)) {
goto done;
}

if (cred_usage == GSS_C_BOTH) {
/* must acquire with GSS_C_ACCEPT to get the server name */
if (!mag_acquire_creds(req, cfg, actual_mechs,
GSS_C_ACCEPT, &server_cred, NULL)) {
goto done;
}
} else {
server_cred = acquired_cred;
}

#ifdef HAVE_CRED_STORE
if (cfg->deleg_ccache_dir) {
/* delegate ourselves credentials so we store them as requested */
Expand Down Expand Up @@ -545,7 +533,7 @@ static bool mag_auth_basic(request_rec *req,
break;
}
gss_release_buffer(&min, &output);
maj = gss_accept_sec_context(&min, &server_ctx, acquired_cred,
maj = gss_accept_sec_context(&min, &server_ctx, server_cred,
&input, GSS_C_NO_CHANNEL_BINDINGS,
client, mech_type, &output, NULL,
vtime, delegated_cred);
Expand All @@ -568,10 +556,8 @@ static bool mag_auth_basic(request_rec *req,
gss_release_buffer(&min, &output);
gss_release_buffer(&min, &input);
gss_release_name(&min, &server);
if (server_cred != acquired_cred)
gss_release_cred(&min, &server_cred);
gss_delete_sec_context(&min, &server_ctx, GSS_C_NO_BUFFER);
gss_release_cred(&min, &acquired_cred);
gss_release_cred(&min, &server_cred);
gss_release_name(&min, &user);
gss_release_cred(&min, &user_cred);
gss_delete_sec_context(&min, &user_ctx, GSS_C_NO_BUFFER);
Expand Down Expand Up @@ -845,7 +831,7 @@ static int mag_auth(request_rec *req)

if (auth_type == AUTH_TYPE_BASIC) {
if (mag_auth_basic(req, cfg, ba_user, ba_pwd,
cred_usage, &client, &mech_type,
&client, &mech_type,
&delegated_cred, &vtime)) {
goto complete;
}
Expand Down