"brian m. carlson" <[email protected]> writes: > On Sat, Oct 05, 2013 at 05:29:04PM -0700, Russ Allbery wrote:
>> Unfortunately, I believe that this would break KrbServiceName Any, >> which at least for me is vital functionality. You would need to >> explicitly import one particular set of credentials from the keytab, >> and you wouldn't know which ones to import. > Would it? Can't we just open all the keytabs at the beginning, and then > call krb5_kt_dup to clone the appropriate handle in each request, > iterating over the duplicated handle and then closing it? I haven't > tested it, but it looks possible to do from the krb5 API docs. But nothing in the Negotiate-Auth flow in mod-auth-kerb uses the Kerberos API or does iteration over the keytab. It uses GSS-API. You can explicitly import credentials with gss_acquire_cred, and I suspect that once you've done that you no longer need access to the keytab, but that requires that you import credentials for a particular principal. If you want to accept any principal at the start of the GSS-API authentication, you have to pass NULL to gss_accept_sec_context, which queries the keytab at the time of context establishment. See get_gss_creds in the mod_auth_kerb source. What you describe should work for username/password authentication, since there the verification keytab just needs to be a krb5_keytab object, and the module could create a persistent Kerberos context and open that keytab in that context and maintain it for the life of the server. (Although I suspect that fails miserably if the Apache worker is threaded.) But the Negotiate-Auth support is harder. I suppose if you only care about the BasicAuth password verification, you could modify the module to do the above. It looks like it would be a moderate amount of work to rearrange things for that to work properly. (krb5_kt_dup is Heimdal-specific, btw, but I don't think you need to dup the keytab anyway; you can just start a new sequence on the same krb5_keytab object.) -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
