ports/86963: mod_auth_kerb defaults to installing MIT Kerberos and won't work with Heimdal

Thu Oct 6 01:40:20 UTC 2005

>Number:         86963
>Category:       ports
>Synopsis:       mod_auth_kerb defaults to installing MIT Kerberos and won't work with Heimdal
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 06 01:40:18 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Brian Fundakowski Feldman
>Release:        FreeBSD 6.0-BETA4 i386
>Organization:
FreeBSD
>Environment:
System: FreeBSD green.homeunix.org 6.0-BETA4 FreeBSD 6.0-BETA4 #0: Fri Sep 9 07:16:21 EDT 2005 green at green.homeunix.org:/usr/obj/usr/src/sys/GREEN i386


	
>Description:
	The port defaults to installing into ${LOCALBASE} MIT Kerberos
	in spite of presence of Heimdal in the base system.  In spite
	of this, however, Heimdal support does not work.  
>How-To-Repeat:
	make KRB5_HOME=/usr install, then attempt SPNEGO authentication
	(not krb5 password gatewaying, which the pam_krb5 module could
	do perfectly well anyway) with a keytab not /etc/krb5.keytab
	(specified by Krb5Keytab in the httpd.conf).  The directive
	appears to be ignored, as an error referring to
	"FILE:/etc/krb5.keytab" is returned upon attempting the
	authentication using Mozilla.
>Fix:
	Heimdal has an existing API for performing the function that
	this plugin is attempting (that is, changing the location
	of the keytab to allow for least privilege for the service).
	Using it thusly makes things work for me:

--- src/mod_auth_kerb.c.orig	Tue Aug 10 08:01:01 2004
+++ src/mod_auth_kerb.c	Wed Oct  5 20:25:38 2005
@@ -1108,6 +1108,7 @@
   spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
 
   if (conf->krb_5_keytab) {
+#ifndef HEIMDAL
      char *ktname;
      /* we don't use the ap_* calls here, since the string passed to putenv()
       * will become part of the enviroment and shouldn't be free()ed by apache
@@ -1120,6 +1121,14 @@
      }
      sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab);
      putenv(ktname);
+#else
+     ret = gsskrb5_register_acceptor_identity(conf->krb_5_keytab);
+     if (ret) {
+	log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Setting KerberosV keytab failed: %s", strerror(errno));
+	ret = HTTP_INTERNAL_SERVER_ERROR;
+	goto end;
+     }
+#endif
   }
 
   ret = get_gss_creds(r, conf, &server_creds);

	I plan to send this PR over to the mod_auth_kerb guys in order to
	get it into the standard distribution.

	A smaller issue is the inaccurate description in the port.
	It makes no mention of SPNEGO ("HTTP Negotiate"/GSSAPI/Kerberos 5
	authentication), and refers to a www/<host>@<REALM> principal
	whereas the canonical principal, and the default, is actually
	HTTP/<host>@<REALM>.  I could attempt a rewrite of this...
>Release-Note:
>Audit-Trail:
>Unformatted:

