-=| Damyan Ivanov, 23.11.2020 22:16:43 +0200 |=- > -=| Sam Hartman, 23.11.2020 10:02:34 -0500 |=- > > Here's a patch that I believe will get libapache-mod-auth-kerb > > working with the latest krb5. I'll go upload a krb5 that fixes the > > breaks relationship. > > > > I'd appreciate it if someone who actually uses > > libapache-mod-auth-kerb will test this patch. > > If it gets tested, I'll NMU. If not, I'll ask the release team to > > remove libapache-mod-auth-kerb from testing. > > I'll try to find time to test the patch tomorrow (UTC+02).
A bit late, but I succeeded in testing the patch. Upgrading libkrb5-3 and its dependencies to 1.18.3-4 doesn't break apache2 with mod-auth-kerb anymore. Moreover, the basic functionality (user authentication against a domain controller) works as before. I am attaching a minimal patch, with the following changes compared to Sam's patch: - removed another instance of 'have_rcache_type' usage - removed all but the changes in debian/changelog, debian/patches/serries and the real patch to mod_auth_kerb.c that lives under debian/patches/. I think this patch can be used for a clean NMU. Cheers, Damyan
diff --git a/debian/changelog b/debian/changelog index b04ca6a..f621e17 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libapache-mod-auth-kerb (5.4-2.5) unstable; urgency=medium + + * Non-maintainer upload. + * Always assume none replay cache type is present, Closes: #975344 + + -- Sam Hartman <hartm...@debian.org> Mon, 23 Nov 2020 09:34:53 -0500 + libapache-mod-auth-kerb (5.4-2.4) unstable; urgency=medium * Non-maintainer upload. diff --git a/debian/patches/0011-Always-use-NONE-replay-cache-type.patch b/debian/patches/0011-Always-use-NONE-replay-cache-type.patch new file mode 100644 index 0000000..71aaf40 --- /dev/null +++ b/debian/patches/0011-Always-use-NONE-replay-cache-type.patch @@ -0,0 +1,73 @@ +From: Sam Hartman <hartm...@debian.org> +Date: Mon, 23 Nov 2020 09:30:22 -0500 +Subject: Always use NONE replay cache type + +It's 2020. Any MIT Kerberos in the wild supports the none replay +cache type. The previous code used an internal function to detect +that replay cache type; that function is no longer available. +Instead, assume it is present. + +An alternative would be to enable the default replay cache. It was +originally disabled because of problems between Microsoft +authenticators and 2004-era MIT Kerberos 1.3. That's probably a good +idea. It probably closes off security attacks, although analyzing the +impact of replays in cases where neither channel binding nor +per-message services are used is difficult. I believe that a replay +cache is not strictly necessary in the common configuration where +mod-auth-kerb is used over a TLS-protected connection where the client +properly verifies the TLS certificate presented by the server prior to +sending a GSS token. + +I have elected not to enable replay cache to affect a minimal change. +--- + src/mod_auth_kerb.c | 23 +---------------------- + 1 file changed, 1 insertion(+), 22 deletions(-) + +--- a/src/mod_auth_kerb.c ++++ b/src/mod_auth_kerb.c +@@ -2057,27 +2057,6 @@ kerb_authenticate_user(request_rec *r) + return ret; + } + +-static int +-have_rcache_type(const char *type) +-{ +- krb5_error_code ret; +- krb5_context context; +- krb5_rcache id = NULL; +- int found; +- +- ret = krb5_init_context(&context); +- if (ret) +- return 0; +- +- ret = krb5_rc_resolve_full(context, &id, "none:"); +- found = (ret == 0); +- +- if (ret == 0) +- krb5_rc_destroy(context, id); +- krb5_free_context(context); +- +- return found; +-} + + /*************************************************************************** + Module Setup/Configuration +@@ -2139,7 +2118,7 @@ kerb_module_init(server_rec *dummy, pool + #ifndef HEIMDAL + /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. + 1.3.x are covered by the hack overiding the replay calls */ +- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) ++ if (getenv("KRB5RCACHETYPE") == NULL ) + putenv(strdup("KRB5RCACHETYPE=none")); + #endif + } +@@ -2181,7 +2160,7 @@ kerb_init_handler(apr_pool_t *p, apr_poo + #ifndef HEIMDAL + /* Suppress the MIT replay cache. Requires MIT Kerberos 1.4.0 or later. + 1.3.x are covered by the hack overiding the replay calls */ +- if (getenv("KRB5RCACHETYPE") == NULL && have_rcache_type("none")) ++ if (getenv("KRB5RCACHETYPE") == NULL) + putenv(strdup("KRB5RCACHETYPE=none")); + #endif + #ifdef STANDARD20_MODULE_STUFF diff --git a/debian/patches/series b/debian/patches/series index d2c7173..9848ef3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ remove_bashism.patch gssapi_delegation.patch apache24.patch mod_auth_kerb-krb5_kt_close.patch +0011-Always-use-NONE-replay-cache-type.patch