Package: libapache2-mod-auth-kerb
Version: 5.3-1.3
Severity: normal
Tags: patch
Please apply the attached patch, which is based on the patch Simon
Wilkinson submitted to the upstream bug tracker with an additional bug
fix. With this patch, one can specify a key of "Any" and mod-auth-kerb
will then accept a GSSAPI authentication for any key in the local keytab.
Without this patch, it's impossible to configure a load-balanced pool
of servers to use mod-auth-kerb in a way that works with both Firefox
and IE, since Firefox will do a reverse lookup of the IP address and
use that host principal whereas IE will use the URL.
This patch has been fairly thoroughly tested and should be safe.
(Also, there's something weird with the versioning of this package. The
last two uploads have been NMUs even though they were uploaded by the
maintainer.)
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libapache2-mod-auth-kerb depends on:
ii apache2.2-common 2.2.6-3 Next generation, scalable, extenda
ii krb5-config 1.18 Configuration files for Kerberos V
ii libc6 2.7-5 GNU C Library: Shared libraries
ii libcomerr2 1.40.3-1 common error description library
ii libkrb53 1.6.dfsg.3~beta1-2 MIT Kerberos runtime libraries
libapache2-mod-auth-kerb recommends no packages.
-- no debconf information
--- libapache-mod-auth-kerb.orig/README
+++ libapache-mod-auth-kerb/README
@@ -66,6 +66,8 @@
is used. The FQDN part can contain any hostname and can be used to work
around problems with misconfigured DNS. A corresponding key of this name
must be stored in the keytab.
+ If this option is set to 'Any', then any prinicpal from the keytab which
+ matches the client's request may be used.
Krb4Srvtab /path/to/srvtab
This option takes one argument, specifying the path to the Kerberos V4
--- libapache-mod-auth-kerb.orig/src/mod_auth_kerb.c
+++ libapache-mod-auth-kerb/src/mod_auth_kerb.c
@@ -1140,7 +1140,10 @@
have_server_princ = conf->krb_service_name &&
strchr(conf->krb_service_name, '/') != NULL;
if (have_server_princ)
strncpy(buf, conf->krb_service_name, sizeof(buf));
- else
+ else if (conf->krb_service_name && strcmp(conf->krb_service_name, "Any") ==
0) {
+ *server_creds = GSS_C_NO_CREDENTIAL;
+ return 0;
+ } else
snprintf(buf, sizeof(buf), "[EMAIL PROTECTED]",
(conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME,
ap_get_server_name(r));
