diff -up --recursive mod_auth_kerb-5.4.orig/README mod_auth_kerb-5.4/README --- mod_auth_kerb-5.4.orig/README 2008-11-26 11:51:05.000000000 -0500 +++ mod_auth_kerb-5.4/README 2012-01-04 11:17:22.000000000 -0500 @@ -122,4 +122,16 @@ KrbSaveCredentials, the tickets will be credential cache that will be available for the request handler. The ticket file will be removed after request is handled. +Constrained Delegation +---------------------- +S4U2Proxy, or constrained delegation, enables a service to use a client's +ticket to itself to request another ticket for delegation. The KDC +checks krbAllowedToDelegateTo to decide if it will issue a new ticket. +If KrbConstrainedDelegation is enabled the server will use its own credentials +to retrieve a delegated ticket for the user. For this to work the user must +have a forwardable ticket (though the delegation flag need not be set). +The server needs a valid credentials cache for this to work. + +The module itself will obtain and manage the necessary credentials. + $Id: README,v 1.12 2008/09/17 14:01:55 baalberith Exp $ diff -up --recursive mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c mod_auth_kerb-5.4/src/mod_auth_kerb.c --- mod_auth_kerb-5.4.orig/src/mod_auth_kerb.c 2011-12-09 17:55:05.000000000 -0500 +++ mod_auth_kerb-5.4/src/mod_auth_kerb.c 2012-03-01 14:19:40.000000000 -0500 @@ -42,6 +42,31 @@ * POSSIBILITY OF SUCH DAMAGE. */ +/* + * Locking mechanism inspired by mod_rewrite. + * + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * S4U2Proxy code + * + * Copyright (C) 2012 Red Hat + */ + #ident "$Id: mod_auth_kerb.c,v 1.150 2008/12/04 10:14:03 baalberith Exp $" #include "config.h" @@ -49,6 +74,7 @@ #include #include #include +#include #define MODAUTHKERB_VERSION "5.4" @@ -131,6 +157,12 @@ module AP_MODULE_DECLARE_DATA auth_kerb_ module auth_kerb_module; #endif +#ifdef STANDARD20_MODULE_STUFF +/* s4u2proxy only supported in 2.0+ */ +static const char *lockname; +static apr_global_mutex_t *s4u2proxy_lock = NULL; +#endif + /*************************************************************************** Macros To Ease Compatibility ***************************************************************************/ @@ -165,6 +197,7 @@ typedef struct { int krb_method_gssapi; int krb_method_k5pass; int krb5_do_auth_to_local; + int krb5_s4u2proxy; #endif #ifdef KRB4 char *krb_4_srvtab; @@ -185,6 +218,11 @@ set_kerb_auth_headers(request_rec *r, co static const char* krb5_save_realms(cmd_parms *cmd, void *sec, const char *arg); +static const char * +cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1); + +static int +obtain_server_credentials(request_rec *r, const char *service_name); #ifdef STANDARD20_MODULE_STUFF #define command(name, func, var, type, usage) \ @@ -237,6 +275,12 @@ static const command_rec kerb_auth_cmds[ command("KrbLocalUserMapping", ap_set_flag_slot, krb5_do_auth_to_local, FLAG, "Set to 'on' to have Kerberos do auth_to_local mapping of principal names to system user names."), + + command("KrbConstrainedDelegation", ap_set_flag_slot, krb5_s4u2proxy, + FLAG, "Set to 'on' to have Kerberos use S4U2Proxy delegation."), + + AP_INIT_TAKE1("KrbConstrainedDelegationLock", cmd_delegationlock, NULL, + RSRC_CONF, "the filename of a lockfile used for inter-process synchronization"), #endif #ifdef KRB4 @@ -302,6 +346,7 @@ static void *kerb_dir_create_config(MK_P #endif #ifdef KRB5 ((kerb_auth_config *)rec)->krb5_do_auth_to_local = 0; + ((kerb_auth_config *)rec)->krb5_s4u2proxy = 0; ((kerb_auth_config *)rec)->krb_method_k5pass = 1; ((kerb_auth_config *)rec)->krb_method_gssapi = 1; #endif @@ -319,6 +364,24 @@ krb5_save_realms(cmd_parms *cmd, void *v return NULL; } +static const char * +cmd_delegationlock(cmd_parms *cmd, void *dconf, const char *a1) +{ + const char *error; + + if ((error = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) + return error; + + /* fixup the path, especially for s4u2proxylock_remove() */ + lockname = ap_server_root_relative(cmd->pool, a1); + + if (!lockname) { + return apr_pstrcat(cmd->pool, "Invalid KrbConstrainedDelegationLock path ", a1, NULL); + } + + return NULL; +} + static void log_rerror(const char *file, int line, int level, int status, const request_rec *r, const char *fmt, ...) @@ -1170,6 +1233,7 @@ get_gss_creds(request_rec *r, gss_buffer_desc token = GSS_C_EMPTY_BUFFER; OM_uint32 major_status, minor_status, minor_status2; gss_name_t server_name = GSS_C_NO_NAME; + gss_cred_usage_t usage = GSS_C_ACCEPT; char buf[1024]; int have_server_princ; @@ -1212,10 +1276,14 @@ get_gss_creds(request_rec *r, log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Acquiring creds for %s", token.value); + if (conf->krb5_s4u2proxy) { + usage = GSS_C_BOTH; + obtain_server_credentials(r, conf->krb_service_name); + } gss_release_buffer(&minor_status, &token); major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, GSS_C_ACCEPT, + GSS_C_NO_OID_SET, usage, server_creds, NULL, NULL); gss_release_name(&minor_status2, &server_name); if (GSS_ERROR(major_status)) { @@ -1257,6 +1325,293 @@ cmp_gss_type(gss_buffer_t token, gss_OID } #endif +/* Renew the ticket if it will expire in under a minute */ +#define RENEWAL_TIME 60 + +/* + * Services4U2Proxy lets a server prinicipal request another service + * principal on behalf of a user. To do this the Apache service needs + * to have its own ccache. This will ensure that the ccache has a valid + * principal and will initialize or renew new credentials when needed. + */ + +static int +verify_server_credentials(request_rec *r, + krb5_context kcontext, + krb5_ccache ccache, + krb5_principal princ, + int *renew +) +{ + krb5_creds match_cred; + krb5_creds creds; + char * princ_name = NULL; + char *tgs_princ_name = NULL; + krb5_timestamp now; + krb5_error_code kerr = 0; + + *renew = 0; + + memset (&match_cred, 0, sizeof(match_cred)); + memset (&creds, 0, sizeof(creds)); + + if (NULL == ccache || NULL == princ) { + /* Nothing to verify */ + *renew = 1; + goto cleanup; + } + + if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Could not unparse principal %s (%d)", + error_message(kerr), kerr); + goto cleanup; + } + + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Using principal %s for s4u2proxy", princ_name); + + tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME, + krb5_princ_realm(kcontext, princ)->length, + krb5_princ_realm(kcontext, princ)->data, + krb5_princ_realm(kcontext, princ)->length, + krb5_princ_realm(kcontext, princ)->data); + + if ((kerr = krb5_parse_name(kcontext, tgs_princ_name, &match_cred.server))) + { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Could not parse principal %s: %s (%d)", + tgs_princ_name, error_message(kerr), kerr); + goto cleanup; + } + + match_cred.client = princ; + + if ((kerr = krb5_cc_retrieve_cred(kcontext, ccache, 0, &match_cred, &creds))) + { + krb5_unparse_name(kcontext, princ, &princ_name); + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Could not unparse principal %s: %s (%d)", + princ_name, error_message(kerr), kerr); + goto cleanup; + } + + if ((kerr = krb5_timeofday(kcontext, &now))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Could not get current time: %d (%s)", + kerr, error_message(kerr)); + goto cleanup; + } + + if (now > (creds.times.endtime + RENEWAL_TIME)) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Credentials for %s have expired or will soon " + "expire - now %d endtime %d", + princ_name, now, creds.times.endtime); + *renew = 1; + } else { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Credentials for %s will expire at " + "%d, it is now %d", princ_name, creds.times.endtime, now); + } + +cleanup: + /* Closing context, ccache, etc happens elsewhere */ + if (match_cred.server) { + krb5_free_principal(kcontext, match_cred.server); + } + if (creds.client) { + krb5_free_cred_contents(kcontext, &creds); + } + + return kerr; +} + +static int +obtain_server_credentials(request_rec *r, + const char *service_name) +{ + krb5_context kcontext = NULL; + krb5_keytab keytab = NULL; + krb5_ccache ccache = NULL; + char * princ_name = NULL; + char *tgs_princ_name = NULL; + krb5_error_code kerr = 0; + krb5_principal princ = NULL; + krb5_creds creds; + krb5_get_init_creds_opt gicopts; + int renew = 0; + apr_status_t rv = 0; + + memset(&creds, 0, sizeof(creds)); + + if ((kerr = krb5_init_context(&kcontext))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Kerberos context initialization failed: %s (%d)", error_message(kerr), kerr); + goto done; + } + + if ((kerr = krb5_cc_default(kcontext, &ccache))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Could not get default Kerberos ccache: %s (%d)", + error_message(kerr), kerr); + goto done; + } + + if ((kerr = krb5_cc_get_principal(kcontext, ccache, &princ))) { + char * name = NULL; + + if ((asprintf(&name, "%s:%s", krb5_cc_get_type(kcontext, ccache), + krb5_cc_get_name(kcontext, ccache))) == -1) { + kerr = KRB5_CC_NOMEM; + goto done; + } + + if (KRB5_FCC_NOFILE == kerr) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Credentials cache %s not found, create one", name); + krb5_cc_close(kcontext, ccache); + ccache = NULL; + free(name); + } else { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Failure to open credentials cache %s: %s (%d)", + name, error_message(kerr), kerr); + free(name); + goto done; + } + } + + kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew); + + if (kerr || !renew) { + goto done; + } + +#ifdef STANDARD20_MODULE_STUFF + if (s4u2proxy_lock) { + rv = apr_global_mutex_lock(s4u2proxy_lock); + if (rv != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "apr_global_mutex_lock(s4u2proxy_lock) " + "failed"); + } + } +#endif + + /* We have the lock, check again to be sure another process hasn't already + * renewed the ticket. + */ + kerr = verify_server_credentials(r, kcontext, ccache, princ, &renew); + if (kerr || !renew) { + goto unlock; + } + + if (NULL == princ) { + princ_name = apr_psprintf(r->pool, "%s/%s", + (service_name) ? service_name : SERVICE_NAME, + ap_get_server_name(r)); + + if ((kerr = krb5_parse_name(kcontext, princ_name, &princ))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Could not parse principal %s: %s (%d) ", + princ_name, error_message(kerr), kerr); + goto unlock; + } + } else if (NULL == princ_name) { + if ((kerr = krb5_unparse_name(kcontext, princ, &princ_name))) { + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Could not unparse principal %s: %s (%d)", + princ_name, error_message(kerr), kerr); + goto unlock; + } + } + + if ((kerr = krb5_kt_default(kcontext, &keytab))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Unable to get default keytab: %s (%d)", + error_message(kerr), kerr); + goto unlock; + } + + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Obtaining new credentials for %s", princ_name); + krb5_get_init_creds_opt_init(&gicopts); + krb5_get_init_creds_opt_set_forwardable(&gicopts, 1); + + tgs_princ_name = apr_psprintf(r->pool, "%s/%.*s@%.*s", KRB5_TGS_NAME, + krb5_princ_realm(kcontext, princ)->length, + krb5_princ_realm(kcontext, princ)->data, + krb5_princ_realm(kcontext, princ)->length, + krb5_princ_realm(kcontext, princ)->data); + + if ((kerr = krb5_get_init_creds_keytab(kcontext, &creds, princ, keytab, + 0, tgs_princ_name, &gicopts))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Failed to obtain credentials for principal %s: " + "%s (%d)", princ_name, error_message(kerr), kerr); + goto unlock; + } + + krb5_kt_close(kcontext, keytab); + keytab = NULL; + + if (NULL == ccache) { + if ((kerr = krb5_cc_default(kcontext, &ccache))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Failed to open default ccache: %s (%d)", + error_message(kerr), kerr); + goto unlock; + } + } + + if ((kerr = krb5_cc_initialize(kcontext, ccache, princ))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Failed to initialize ccache for %s: %s (%d)", + princ_name, error_message(kerr), kerr); + goto unlock; + } + + if ((kerr = krb5_cc_store_cred(kcontext, ccache, &creds))) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Failed to store %s in ccache: %s (%d)", + princ_name, error_message(kerr), kerr); + goto unlock; + } + +unlock: +#ifdef STANDARD20_MODULE_STUFF + if (s4u2proxy_lock) { + apr_global_mutex_unlock(s4u2proxy_lock); + if (rv != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, + "apr_global_mutex_unlock(s4u2proxy_lock) " + "failed"); + } + } +#endif + +done: + if (0 == kerr) + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Done obtaining credentials for s4u2proxy"); + else + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Failed to obtain credentials for s4u2proxy"); + + if (creds.client) { + krb5_free_cred_contents(kcontext, &creds); + } + if (ccache) { + krb5_cc_close(kcontext, ccache); + } + if (kcontext) { + krb5_free_context(kcontext); + } + + return kerr; +} + static int authenticate_user_gss(request_rec *r, kerb_auth_config *conf, const char *auth_line, char **negotiate_ret_value) @@ -1697,10 +2052,60 @@ have_rcache_type(const char *type) /*************************************************************************** Module Setup/Configuration ***************************************************************************/ +#ifdef STANDARD20_MODULE_STUFF +static apr_status_t +s4u2proxylock_create(server_rec *s, apr_pool_t *p) +{ + apr_status_t rc; + + /* only operate if a lockfile is used */ + if (lockname == NULL || *(lockname) == '\0') { + return APR_SUCCESS; + } + + /* create the lockfile */ + rc = apr_global_mutex_create(&s4u2proxy_lock, lockname, + APR_LOCK_DEFAULT, p); + if (rc != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s, + "Parent could not create lock file %s", lockname); + return rc; + } + +#ifdef AP_NEED_SET_MUTEX_PERMS + rc = unixd_set_global_mutex_perms(s4u2proxy_lock); + if (rc != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_CRIT, rc, s, + "mod_auth_kerb: Parent could not set permissions " + "on lock; check User and Group directives"); + return rc; + } +#endif + + return APR_SUCCESS; +} + +static apr_status_t +s4u2proxylock_remove(void *unused) +{ + /* only operate if a lockfile is used */ + if (lockname == NULL || *(lockname) == '\0') { + return APR_SUCCESS; + } + + /* destroy the rewritelock */ + apr_global_mutex_destroy(s4u2proxy_lock); + s4u2proxy_lock = NULL; + lockname = NULL; + return APR_SUCCESS; +} +#endif + #ifndef STANDARD20_MODULE_STUFF static void kerb_module_init(server_rec *dummy, pool *p) { + apr_status_t status; #ifndef HEIMDAL /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. 1.3.x are covered by the hack overiding the replay calls */ @@ -1741,6 +2146,7 @@ static int kerb_init_handler(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) { + apr_status_t rv; ap_add_version_component(p, "mod_auth_kerb/" MODAUTHKERB_VERSION); #ifndef HEIMDAL /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. @@ -1748,14 +2154,41 @@ kerb_init_handler(apr_pool_t *p, apr_poo if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) putenv(strdup("KRB5RCACHETYPE=none")); #endif +#ifdef STANDARD20_MODULE_STUFF + rv = s4u2proxylock_create(s, p); + if (rv != APR_SUCCESS) { + return HTTP_INTERNAL_SERVER_ERROR; + } + + apr_pool_cleanup_register(p, (void *)s, s4u2proxylock_remove, + apr_pool_cleanup_null); +#endif return OK; } static void +initialize_child(apr_pool_t *p, server_rec *s) +{ + apr_status_t rv = 0; + +#ifdef STANDARD20_MODULE_STUFF + if (lockname != NULL && *(lockname) != '\0') { + rv = apr_global_mutex_child_init(&s4u2proxy_lock, lockname, p); + if (rv != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s, + "mod_auth_kerb: could not init s4u2proxy_lock" + " in child"); + } + } +#endif +} + +static void kerb_register_hooks(apr_pool_t *p) { ap_hook_post_config(kerb_init_handler, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_child_init(initialize_child, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_check_user_id(kerb_authenticate_user, NULL, NULL, APR_HOOK_MIDDLE); }