74 lines
2.6 KiB
Diff
74 lines
2.6 KiB
Diff
From: Sam Hartman <hartmans@debian.org>
|
|
Date: Mon, 23 Nov 2020 09:30:22 -0500
|
|
Subject: Always use NONE replay cache type
|
|
|
|
It's 2020. Any MIT Kerberos in the wild supports the none replay
|
|
cache type. The previous code used an internal function to detect
|
|
that replay cache type; that function is no longer available.
|
|
Instead, assume it is present.
|
|
|
|
An alternative would be to enable the default replay cache. It was
|
|
originally disabled because of problems between Microsoft
|
|
authenticators and 2004-era MIT Kerberos 1.3. That's probably a good
|
|
idea. It probably closes off security attacks, although analyzing the
|
|
impact of replays in cases where neither channel binding nor
|
|
per-message services are used is difficult. I believe that a replay
|
|
cache is not strictly necessary in the common configuration where
|
|
mod-auth-kerb is used over a TLS-protected connection where the client
|
|
properly verifies the TLS certificate presented by the server prior to
|
|
sending a GSS token.
|
|
|
|
I have elected not to enable replay cache to affect a minimal change.
|
|
---
|
|
src/mod_auth_kerb.c | 23 +----------------------
|
|
1 file changed, 1 insertion(+), 22 deletions(-)
|
|
|
|
--- a/src/mod_auth_kerb.c
|
|
+++ b/src/mod_auth_kerb.c
|
|
@@ -2057,27 +2057,6 @@ kerb_authenticate_user(request_rec *r)
|
|
return ret;
|
|
}
|
|
|
|
-static int
|
|
-have_rcache_type(const char *type)
|
|
-{
|
|
- krb5_error_code ret;
|
|
- krb5_context context;
|
|
- krb5_rcache id = NULL;
|
|
- int found;
|
|
-
|
|
- ret = krb5_init_context(&context);
|
|
- if (ret)
|
|
- return 0;
|
|
-
|
|
- ret = krb5_rc_resolve_full(context, &id, "none:");
|
|
- found = (ret == 0);
|
|
-
|
|
- if (ret == 0)
|
|
- krb5_rc_destroy(context, id);
|
|
- krb5_free_context(context);
|
|
-
|
|
- return found;
|
|
-}
|
|
|
|
/***************************************************************************
|
|
Module Setup/Configuration
|
|
@@ -2139,7 +2118,7 @@ kerb_module_init(server_rec *dummy, pool
|
|
#ifndef HEIMDAL
|
|
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
|
|
1.3.x are covered by the hack overiding the replay calls */
|
|
- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
|
|
+ if (getenv("KRB5RCACHETYPE") == NULL )
|
|
putenv(strdup("KRB5RCACHETYPE=none"));
|
|
#endif
|
|
}
|
|
@@ -2181,7 +2160,7 @@ kerb_init_handler(apr_pool_t *p, apr_poo
|
|
#ifndef HEIMDAL
|
|
/* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later.
|
|
1.3.x are covered by the hack overiding the replay calls */
|
|
- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none"))
|
|
+ if (getenv("KRB5RCACHETYPE") == NULL)
|
|
putenv(strdup("KRB5RCACHETYPE=none"));
|
|
#endif
|
|
#ifdef STANDARD20_MODULE_STUFF
|