| ... | ... | --- /dev/null |
| ... | ... | +++ b/0011-Always-use-NONE-replay-cache-type.patch |
| ... | ... | @@ -0,0 +1,73 @@ |
| 1 |
From: Sam Hartman <hartmans@debian.org>
|
|
| 2 |
Date: Mon, 23 Nov 2020 09:30:22 -0500
|
|
| 3 |
Subject: Always use NONE replay cache type
|
|
| 4 |
|
|
| 5 |
It's 2020. Any MIT Kerberos in the wild supports the none replay
|
|
| 6 |
cache type. The previous code used an internal function to detect
|
|
| 7 |
that replay cache type; that function is no longer available.
|
|
| 8 |
Instead, assume it is present.
|
|
| 9 |
|
|
| 10 |
An alternative would be to enable the default replay cache. It was
|
|
| 11 |
originally disabled because of problems between Microsoft
|
|
| 12 |
authenticators and 2004-era MIT Kerberos 1.3. That's probably a good
|
|
| 13 |
idea. It probably closes off security attacks, although analyzing the
|
|
| 14 |
impact of replays in cases where neither channel binding nor
|
|
| 15 |
per-message services are used is difficult. I believe that a replay
|
|
| 16 |
cache is not strictly necessary in the common configuration where
|
|
| 17 |
mod-auth-kerb is used over a TLS-protected connection where the client
|
|
| 18 |
properly verifies the TLS certificate presented by the server prior to
|
|
| 19 |
sending a GSS token.
|
|
| 20 |
|
|
| 21 |
I have elected not to enable replay cache to affect a minimal change.
|
|
| 22 |
---
|
|
| 23 |
src/mod_auth_kerb.c | 23 +----------------------
|
|
| 24 |
1 file changed, 1 insertion(+), 22 deletions(-)
|
|
| 25 |
|
|
| 26 |
--- a/src/mod_auth_kerb.c
|
|
| 27 |
+++ b/src/mod_auth_kerb.c
|
|
| 28 |
@@ -2057,27 +2057,6 @@ kerb_authenticate_user(request_rec *r)
|
|
| 29 |
return ret;
|
|
| 30 |
}
|
|
| 31 |
|
|
| 32 |
-static int
|
|
| 33 |
-have_rcache_type(const char *type)
|
|
| 34 |
-{
|
|
| 35 |
- krb5_error_code ret;
|
|
| 36 |
- krb5_context context;
|
|
| 37 |
- krb5_rcache id = NULL;
|
|
| 38 |
- int found;
|
|
| 39 |
-
|
|
| 40 |
- ret = krb5_init_context(&context);
|
|
| 41 |
- if (ret)
|
|
| 42 |
- return 0;
|
|
| 43 |
-
|
|
| 44 |
- ret = krb5_rc_resolve_full(context, &id, "none:");
|
|
| 45 |
- found = (ret == 0);
|
|
| 46 |
-
|
|
| 47 |
- if (ret == 0)
|
|
| 48 |
- krb5_rc_destroy(context, id);
|
|
| 49 |
- krb5_free_context(context);
|
|
| 50 |
-
|
|
| 51 |
- return found;
|
|
| 52 |
-}
|
|
| 53 |
|
|
| 54 |
/***************************************************************************
|
|
| 55 |
Module Setup/Configuration
|
|
| 56 |
@@ -2139,7 +2118,7 @@ kerb_module_init(server_rec *dummy, pool
|
|
| 57 |
#ifndef HEIMDAL
|
|
| 58 |
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
|
|
| 59 |
1.3.x are covered by the hack overiding the replay calls */
|
|
| 60 |
- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
|
|
| 61 |
+ if (getenv("KRB5RCACHETYPE") == NULL )
|
|
| 62 |
putenv(strdup("KRB5RCACHETYPE=none"));
|
|
| 63 |
#endif
|
|
| 64 |
}
|
|
| 65 |
@@ -2181,7 +2160,7 @@ kerb_init_handler(apr_pool_t *p, apr_poo
|
|
| 66 |
#ifndef HEIMDAL
|
|
| 67 |
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
|
|
| 68 |
1.3.x are covered by the hack overiding the replay calls */
|
|
| 69 |
- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
|
|
| 70 |
+ if (getenv("KRB5RCACHETYPE") == NULL)
|
|
| 71 |
putenv(strdup("KRB5RCACHETYPE=none"));
|
|
| 72 |
#endif
|
|
| 73 |
#ifdef STANDARD20_MODULE_STUFF
|
| ... | ... | --- a/apache-mod_auth_kerb.spec |
| ... | ... | +++ b/apache-mod_auth_kerb.spec |
| ... | ... | @@ -6,7 +6,7 @@ |
| 6 | 6 |
Summary: Apache module to provides authentifation against a Kerberos server
|
| 7 | 7 |
Name: apache-%{mod_name}
|
| 8 | 8 |
Version: 5.4
|
| 9 |
Release: 13
|
|
| 9 |
Release: 14
|
|
| 10 | 10 |
Group: System/Servers
|
| 11 | 11 |
License: BSD-like
|
| 12 | 12 |
URL: http://modauthkerb.sourceforge.net/
|
| ... | ... | @@ -16,7 +16,7 @@ Patch1: mod_auth_kerb-5.4-rcopshack.patch |
| … | … | |
| 16 | 16 |
Patch2: mod_auth_kerb-5.4-fixes.patch
|
| 17 | 17 |
Patch3: mod_auth_kerb-5.4-s4u2proxy.patch
|
| 18 | 18 |
Patch4: mod_auth_kerb-5.4-httpd24.patch
|
| 19 |
|
|
| 19 |
Patch5: 0011-Always-use-NONE-replay-cache-type.patch
|
|
| 20 | 20 |
Requires: krb5-libs
|
| 21 | 21 |
BuildRequires: krb5-devel
|
| 22 | 22 |
BuildRequires: automake
|
| ... | ... | @@ -57,6 +57,7 @@ counter this, I would suggest also using mod_ssl. |
| … | … | |
| 57 | 57 |
%patch2 -p1
|
| 58 | 58 |
%patch3 -p1
|
| 59 | 59 |
%patch4 -p1
|
| 60 |
%patch5 -p1
|
|
| 60 | 61 |
|
| 61 | 62 |
cp %{SOURCE1} %{mod_conf}
|
| 62 | 63 |
sed -i "s|_MODULE_DIR_|%{_libdir}/apache|g" %{mod_conf}
|
:+1:
New comment