Use modauthkerb as AuthBasicProvider

Hi,

I have a directory tree that I am protecting using modauthkerb  
currently. However, it has become a necessity to allow users outside  
our kerberos realm to authenticate to view this content. Is there a  
way to put krb in the AuthBasicProvider list so that multiple sources  
can be used for HTTP authentication?

--
Jonathan C. Williams
Web Programmer
Steinhardt School of Education
jonathan.williams <at> nyu.edu :: 212-998-5308

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Re: cannot compile mod_auth_kerb-5.0rc7 on suse 10.0

Hunter McGhoo <hunter <at> huntermcghoo.dyndns.org> writes:

> "./configure --with-krb4=no" :
> 
> /usr/share/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -
march=i586
> -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -g -fPIC -Wall -fno-
strict-aliasing
> -D_LARGEFILE_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT
> -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -DAP_DEBUG -
Wmissing-prototypes
> -Wstrict-prototypes -Wmissing-declarations -pthread -I/usr/include/apache2 
> -I/usr/include/apache2   -I/usr/include/apache2  -I. -Ispnegokrb5 -I/usr/
include  -c -o
> spnegokrb5/asn1_MechType.lo spnegokrb5/asn1_MechType.c && touch spnegokrb5/
asn1_MechType.slo
> In file included from spnegokrb5/asn1_MechType.c:9:
> spnegokrb5/spnego_asn1.h:102: error: array type has incomplete element type
> apxs:Error: Command failed with rc=65536
> .
> make: *** [src/mod_auth_kerb.so] Error 1
> 
> i am lost :( , any hints on how to get it compiled ?

I have the same problem under FC4 and FC5!  I'd like to get it compiled so I can 
use Apache instead of IIS!

Shouldn't '--with-krb4=no' really be '--without-krb4'?

Neil.

Re: Re: cannot compile mod_auth_kerb-5.0rc7 on suse 10.0

On Friday 05 May 2006 06:12, Neil Hillard wrote:
> Hunter McGhoo <hunter <at> huntermcghoo.dyndns.org> writes:
> > "./configure --with-krb4=no" :
> >
> > /usr/share/apache2/build/libtool --silent --mode=compile gcc -prefer-pic
> > -O2 -
>
> march=i586
>
> > -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -g -fPIC -Wall
> > -fno-
>
> strict-aliasing
>
> > -D_LARGEFILE_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2
> > -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE
> > -D_GNU_SOURCE -DAP_DEBUG -
>
> Wmissing-prototypes
>
> > -Wstrict-prototypes -Wmissing-declarations -pthread
> > -I/usr/include/apache2 -I/usr/include/apache2   -I/usr/include/apache2 
> > -I. -Ispnegokrb5 -I/usr/
>
> include  -c -o
>
> > spnegokrb5/asn1_MechType.lo spnegokrb5/asn1_MechType.c && touch
> > spnegokrb5/
>
> asn1_MechType.slo

mod_auth_krb Require group staff

Re: mod_auth_krb Require group staff

On Friday 05 May 2006 16:11, pele_smk wrote:
> I'm trying to limit a director to a specific group. I have the AuthFile
> /file location set and I have require group staff labeled. My problem comes
> when trying to find the syntax for the group file. Since it's not an apache
> group how is it done? Currenty I have in my AuthFile:
>
> staff: employees
>
> staff is the Require group label and employees is the group from
> mod_auth_kerb. Any help would be kickass

You use...

staff: user1 <at> DOMAIN.COM user2 <at> DOMAIN.COM ...etc

--

-- 
Clarence

If you don't care where you are, then you ain't lost.

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

mod_auth_kerb cross-realm SPNEGO?

Has anybody been able to get cross-realm authentication working via
SPNEGO ("negotiate")?

I removed the check for the " <at> " sign in the username from the
mod_auth_kerb code, and I can do cross-realm authentication now via
HTTP Basic (Krb5Passwd) by having the user type "username <at> REALM" as
the HTTP "user".

If I force SPNEGO by setting Negotiate to "yes" and Krb5Passwd to
"no", I can actually get cross-realm authentication to work using
Safari on Mac OS X (neat!).  Unfortunately it doesn't work with MSIE
or the latest Firefox.

Has anybody tried this?

Also, are there plans to disable the  <at> -sign check anytime soon?  I
don't believe it serves any useful purpose.

  - a

--

-- 
PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Re: Re: cannot compile mod_auth_kerb-5.0rc7 on suse 10.0

Clarence,

Clarence Donath wrote:
> On Friday 05 May 2006 06:12, Neil Hillard wrote:
>> Hunter McGhoo <hunter <at> huntermcghoo.dyndns.org> writes:
>>> "./configure --with-krb4=no" :
>>>
>>> /usr/share/apache2/build/libtool --silent --mode=compile gcc -prefer-pic
>>> -O2 -
>> march=i586
>>
>>> -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -g -fPIC -Wall
>>> -fno-
>> strict-aliasing
>>
>>> -D_LARGEFILE_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2
>>> -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE
>>> -D_GNU_SOURCE -DAP_DEBUG -
>> Wmissing-prototypes
>>
>>> -Wstrict-prototypes -Wmissing-declarations -pthread
>>> -I/usr/include/apache2 -I/usr/include/apache2   -I/usr/include/apache2 
>>> -I. -Ispnegokrb5 -I/usr/
>> include  -c -o
>>
>>> spnegokrb5/asn1_MechType.lo spnegokrb5/asn1_MechType.c && touch
>>> spnegokrb5/
>> asn1_MechType.slo
>>
>>> In file included from spnegokrb5/asn1_MechType.c:9:
>>> spnegokrb5/spnego_asn1.h:102: error: array type has incomplete element
>>> type apxs:Error: Command failed with rc=65536
>>> .
>>> make: *** [src/mod_auth_kerb.so] Error 1
>>>
>>> i am lost :( , any hints on how to get it compiled ?
>> I have the same problem under FC4 and FC5!  I'd like to get it compiled so
>> I can use Apache instead of IIS!
>>
>> Shouldn't '--with-krb4=no' really be '--without-krb4'?
>>
>>
>> Neil.
> 
> 
> See this thread 
> http://sourceforge.net/mailarchive/forum.php?thread_id=10212215&forum_id=9893 
> for the solution.
> 
> '--with-krb4=no' and '--without-krb4' are synonymous.

Many, many thanks for that - it worked a treat.  Is there any plan to
fix this in the source tarball?

I now have to get my head around Kerberos and attempt to get it to work
with two AD servers and a Novell eDirectory!

Thanks once again,

				Neil.

--

-- 
Neil Hillard                    hillardn <at> whl.co.uk
Westland Helicopters Ltd.       http://www.whl.co.uk/

Disclaimer: This message does not necessarily reflect the
            views of Westland Helicopters Ltd.

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Re: Re: cannot compile mod_auth_kerb-5.0rc7 on suse 10.0

On Monday 08 May 2006 10:27, Neil A. Hillard wrote:
> Many, many thanks for that - it worked a treat.  Is there any plan to
> fix this in the source tarball?
>
> I now have to get my head around Kerberos and attempt to get it to work
> with two AD servers and a Novell eDirectory!

You're very welcome Neil.

I wouldn't know anything about updating the source, I'm not a member of the 
project team, and don't really have the time to be one yet.  The best I can 
do right now is offer suggestions when I can.

I found this page (http://www.grolmsnet.de/kerbtut/) to be everything I needed 
to get my head around Kerberos.

Right now I'm fighting a problem with Replays when I use IE to browse a 
directory... that is, there is no index.html in the directory.  Works fine 
with Firefox, errors out with IE with a Replay in the error log.

I'm trying to downgrade to Kerberos 1.2.8, as I speak, because I've read that 
this was before MIT put in the complex Replay detection code.

Regards,
Clarence

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

MIT Kerberos 1.4.x and replay cache troubles

Hi guys,

I have been trying to get my MIT Kerberos 1.4.3 to work with  
mod_auth_kerb-5.0rc7 for a couple of days now and I am still running  
into replay cache problems. I adjusted the mit-internals.h and  
mod_auth_kerb.c according to some other pointers found here to no avail.

I dug into the Kerberos docs and found some interesting tidbits about  
the replay cache. Did anybody ever try to just maintain a separate  
cache for every request and/or every httpd process? I am an absolute  
newbie when it comes to Kerberos programming but I was wondering if  
this could help to get rid of the ugly hacks and do it the "right"  
way. I am assuming that their is a right way of handling this  
problem :) Any ideas?

Thanks.

- Michael

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Re: MIT Kerberos 1.4.x and replay cache troubles

Michael Hocke <michael.hocke <at> nyu.edu> writes:

> I have been trying to get my MIT Kerberos 1.4.3 to work with
> mod_auth_kerb-5.0rc7 for a couple of days now and I am still running
> into replay cache problems. I adjusted the mit-internals.h and
> mod_auth_kerb.c according to some other pointers found here to no avail.

You need this patch, which I believe has already been committed to CVS
with some modifications.

diff -urNad libapache-mod-auth-kerb~/src/mod_auth_kerb.c libapache-mod-auth-kerb/src/mod_auth_kerb.c
--- libapache-mod-auth-kerb~/src/mod_auth_kerb.c	2006-03-30 17:39:29.000000000 -0800
+++ libapache-mod-auth-kerb/src/mod_auth_kerb.c	2006-03-30 17:41:56.000000000 -0800
 <at>  <at>  -271,35 +271,6  <at>  <at> 
 }
 #endif

-#if defined(KRB5) && !defined(HEIMDAL)
-/* Needed to work around problems with replay caches */
-#include "mit-internals.h"
-
-/* This is our replacement krb5_rc_store function */
-static krb5_error_code KRB5_LIB_FUNCTION
-mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
-                       krb5_donot_replay_internal *donot_replay)
-{
-   return 0;
-}
-
-/* And this is the operations vector for our replay cache */
-const krb5_rc_ops_internal mod_auth_kerb_rc_ops = {
-  0,
-  "dfl",
-  krb5_rc_dfl_init,
-  krb5_rc_dfl_recover,
-  krb5_rc_dfl_destroy,
-  krb5_rc_dfl_close,
-  mod_auth_kerb_rc_store,
-  krb5_rc_dfl_expunge,
-  krb5_rc_dfl_get_span,
-  krb5_rc_dfl_get_name,
-  krb5_rc_dfl_resolve
-};
-#endif
-
-
 /*************************************************************************** 
  Auth Configuration Initialization
  ***************************************************************************/
 <at>  <at>  -1139,6 +1110,12  <at>  <at> 
    char buf[1024];
    int have_server_princ;

+#ifndef HEIMDAL
+   /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later. */
+   if (getenv("KRB5RCACHETYPE") == NULL)
+      putenv("KRB5RCACHETYPE=none");
+#endif
+
    have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL;
    if (have_server_princ)
       strncpy(buf, conf->krb_service_name, sizeof(buf));
 <at>  <at>  -1186,27 +1163,6  <at>  <at> 
       return HTTP_INTERNAL_SERVER_ERROR;
    }

-#ifndef HEIMDAL
-   /*
-    * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as
-    * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to
-    * the replay cache.
-    * This allows us to override the replay cache function vector with
-    * our own one.
-    * Note that this is a dirty hack to get things working and there may
-    * well be unknown side-effects.
-    */
-   {
-      krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
-
-      if (gss_creds && gss_creds->rcache && gss_creds->rcache->ops &&
-	  gss_creds->rcache->ops->type &&  
-	  memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
-          /* Override the rcache operations */
-	 gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
-   }
-#endif
-   
    return 0;
 }

--

-- 
Russ Allbery (rra <at> stanford.edu)             <http://www.eyrie.org/~eagle/>

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642