Date: Wed, 5 Oct 2005 21:30:34 -0400 (EDT) From: Brian Fundakowski Feldman <green@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/86963: mod_auth_kerb defaults to installing MIT Kerberos and won't work with Heimdal Message-ID: <200510060130.j961UYRI024764@green.homeunix.org> Resent-Message-ID: <200510060140.j961eIZR077293@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 86963
>Category: ports
>Synopsis: mod_auth_kerb defaults to installing MIT Kerberos and won't work with Heimdal
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Oct 06 01:40:18 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Brian Fundakowski Feldman
>Release: FreeBSD 6.0-BETA4 i386
>Organization:
FreeBSD
>Environment:
System: FreeBSD green.homeunix.org 6.0-BETA4 FreeBSD 6.0-BETA4 #0: Fri Sep 9 07:16:21 EDT 2005 green@green.homeunix.org:/usr/obj/usr/src/sys/GREEN i386
>Description:
The port defaults to installing into ${LOCALBASE} MIT Kerberos
in spite of presence of Heimdal in the base system. In spite
of this, however, Heimdal support does not work.
>How-To-Repeat:
make KRB5_HOME=/usr install, then attempt SPNEGO authentication
(not krb5 password gatewaying, which the pam_krb5 module could
do perfectly well anyway) with a keytab not /etc/krb5.keytab
(specified by Krb5Keytab in the httpd.conf). The directive
appears to be ignored, as an error referring to
"FILE:/etc/krb5.keytab" is returned upon attempting the
authentication using Mozilla.
>Fix:
Heimdal has an existing API for performing the function that
this plugin is attempting (that is, changing the location
of the keytab to allow for least privilege for the service).
Using it thusly makes things work for me:
--- src/mod_auth_kerb.c.orig Tue Aug 10 08:01:01 2004
+++ src/mod_auth_kerb.c Wed Oct 5 20:25:38 2005
@@ -1108,6 +1108,7 @@
spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
if (conf->krb_5_keytab) {
+#ifndef HEIMDAL
char *ktname;
/* we don't use the ap_* calls here, since the string passed to putenv()
* will become part of the enviroment and shouldn't be free()ed by apache
@@ -1120,6 +1121,14 @@
}
sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab);
putenv(ktname);
+#else
+ ret = gsskrb5_register_acceptor_identity(conf->krb_5_keytab);
+ if (ret) {
+ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Setting KerberosV keytab failed: %s", strerror(errno));
+ ret = HTTP_INTERNAL_SERVER_ERROR;
+ goto end;
+ }
+#endif
}
ret = get_gss_creds(r, conf, &server_creds);
I plan to send this PR over to the mod_auth_kerb guys in order to
get it into the standard distribution.
A smaller issue is the inaccurate description in the port.
It makes no mention of SPNEGO ("HTTP Negotiate"/GSSAPI/Kerberos 5
authentication), and refers to a www/<host>@<REALM> principal
whereas the canonical principal, and the default, is actually
HTTP/<host>@<REALM>. I could attempt a rewrite of this...
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200510060130.j961UYRI024764>