Bug#340360: libapache2-mod-auth-kerb: GSSAPI fails with "Request is a replay" under krb5 1.4.3

Tue, 22 Nov 2005 20:33:09 -0800 

tags 340360 patch
thanks

Here's a tested patch that works with 1.4.3.  Note that it won't work with
earlier versions of Kerberos since the "none" rcache type is new in 1.4 so
far as I can tell.

A possibly better solution would be to keep the old code but make it
conditional on the version of Kerberos used, but I'm not quite sure how to
do that.  I'm not sure that MIT Kerberos provides an easy way to do that
or to detect whether the rcache type of "none" is supported.

--- libapache-mod-auth-kerb-4.996-5.0-rc6/src/mod_auth_kerb.c   2004-08-10 
05:01:01.000000000 -0700
+++ libapache-mod-auth-kerb-4.996-5.0-rc6.fixed/src/mod_auth_kerb.c     
2005-11-22 19:49:06.000000000 -0800
@@ -195,34 +195,6 @@
    { NULL }
 };
 
-#if defined(KRB5) && !defined(HEIMDAL)
-/* Needed to work around problems with replay caches */
-#include "mit-internals.h"
-
-/* This is our replacement krb5_rc_store function */
-static krb5_error_code
-mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
-                       krb5_donot_replay_internal *donot_replay)
-{
-   return 0;
-}
-
-/* And this is the operations vector for our replay cache */
-const krb5_rc_ops_internal mod_auth_kerb_rc_ops = {
-  0,
-  "dfl",
-  krb5_rc_dfl_init,
-  krb5_rc_dfl_recover,
-  krb5_rc_dfl_destroy,
-  krb5_rc_dfl_close,
-  mod_auth_kerb_rc_store,
-  krb5_rc_dfl_expunge,
-  krb5_rc_dfl_get_span,
-  krb5_rc_dfl_get_name,
-  krb5_rc_dfl_resolve
-};
-#endif
-
 
 /*************************************************************************** 
  Auth Configuration Initialization
@@ -993,6 +965,12 @@
    gss_name_t server_name = GSS_C_NO_NAME;
    char buf[1024];
 
+#ifndef HEIMDAL
+   /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later. */
+   if (getenv("KRB5RCACHETYPE") == NULL)
+       putenv("KRB5RCACHETYPE=none");
+#endif
+
    snprintf(buf, sizeof(buf), "[EMAIL PROTECTED]", conf->krb_service_name,
            ap_get_server_name(r));
 
@@ -1035,27 +1013,6 @@
       return HTTP_INTERNAL_SERVER_ERROR;
    }
 
-#ifndef HEIMDAL
-   /*
-    * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as
-    * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to
-    * the replay cache.
-    * This allows us to override the replay cache function vector with
-    * our own one.
-    * Note that this is a dirty hack to get things working and there may
-    * well be unknown side-effects.
-    */
-   {
-      krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
-
-      if (gss_creds && gss_creds->rcache && gss_creds->rcache->ops &&
-         gss_creds->rcache->ops->type &&  
-         memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
-          /* Override the rcache operations */
-        gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
-   }
-#endif
-   
    return 0;
 }
 
-- 
Russ Allbery ([EMAIL PROTECTED])               <http://www.eyrie.org/~eagle/>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to