Hi,
I'm trying to modify Apache2-2.2.9 "mod_proxy_http" on Debian Lenny to send an
"Authorization: Negotiate [base64_token]" header to a backend server in behalf
of the user, but I have some problems generating the GSSAPI token.
As part of the authentication process, I use "mod_webauth", which creates a
credentials cache in KRB5CCNAME=/var/lib/webauth/cred_cache/temp.krb5.xxxxxx
with the correct credentials. What I want is to initialize a GSSAPI security
context from this file, but I don't know how. I've looked around, and I can
successfully create a Kerberos 5 context, but then I don't know how to
transform this into GSSAPI:
ccache_name = apr_table_get(r->subprocess_env, "KRB5CCNAME");
if ( ccache_name == NULL) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: krb5_auth_headers: no KRB5CCNAME found");
} else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: krb5_auth_headers: KRB5CCNAME %s found",
ccache_name);
/* Initialize Kerberos context and read credentials cache */
ret_krb5 = krb5_init_context(&ctx);
if (ret_krb5 != 0 )
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: krb5_auth_headers: error initializing krb5
context");
ret_krb5 = krb5_cc_resolve(ctx, ccache_name, &temp_ccache);
if (ret_krb5 != 0 )
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: krb5_auth_headers: KRB5CCNAME %s could not
be resolved", ccache_name);
I would like to "somehow" transform the following Perl code into C:
/*
my $ctx = GSSAPI::Context->new();
my $imech = GSSAPI::OID::gss_mech_krb5;
my $iflags = 0 ;
my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
my $creds = GSS_C_NO_CREDENTIAL;
my $itime = 0;
my $itoken = q{};
my $otoken;
$status = $ctx->init($creds,$target,
$imech,$iflags,$itime,$bindings,$itoken,
undef, $otoken,undef,undef) or last;
$status = $ctx->valid_time_left($ttl) or last;
print "\n Security context's time to live $ttl secs";
print "\n Negotiate ".encode_base64($otoken,"");
*/
However, how can I tell GSSAPI to use the credentials cache I just opened? I
tried "gss_krb5_acquire_cred_cache" and "gss_export_cred", but they are not
available in libgssapi-krb5-2 on my Debian installation. I also looked in
Heimdal package, but no luck. :(
Could you please give me an orientation on what to do? Thank you very much!
Kind regards,
--
Xesc
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos