[PECL-DEV] Bug #74636 [Opn]: [krb5] negotiate auth broken for vhosts because of hostname canonicalization

Tue, 23 May 2017 02:30:07 -0700 

Edit report at https://bugs.php.net/bug.php?id=74636&edit=1

 ID:                 74636
 Updated by:         [email protected]
 Reported by:        chanlists at googlemail dot com
-Summary:            negotiate auth broken for virtual hosts because of
                     hostname canonicalization
+Summary:            [krb5] negotiate auth broken for vhosts because of
                     hostname canonicalization
 Status:             Open
 Type:               Bug
-Package:            *General Issues
+Package:            PECL
 Operating System:   debian 8
 PHP Version:        5.6.30
-Assigned To:        
+Assigned To:        mbechler
 Block user comment: N
 Private report:     N

 New Comment:

This sounds like something that should be controlled by an INI setting.


Previous Comments:
------------------------------------------------------------------------
[2017-05-23 09:09:04] chanlists at googlemail dot com

Description:
------------
Suppose we are using a virtual host in apache where the name of the virtual 
host name <vhost> is a cname for the actual hostname <hostname>. In this case, 
the web browser will present a service ticket for HTTP/<vhost>, but the krb5 
package will set the service principal to HTTP/<hostname> because of the use of 
gethostbyname() in the KRB5NegotiateAuth constructor. This will not work. If I 
modify the constructor as follows, it works:

                server_name = zend_compat_hash_find(HASH_OF(server), 
"SERVER_NAME", sizeof("SERVER_NAME"));
                if ( server_name != NULL ) {
                        char *hostname = Z_STRVAL_P(server_name);
                        // struct hostent* host = gethostbyname(hostname);

                        // if(!host) {
                        //      zend_throw_exception(NULL, "Failed to get 
server FQDN - Lookup failure", 0 TSRMLS_CC);
                        //      return;
                        //}

                        nametmp.length = strlen(hostname) + 6;
                        nametmp.value = emalloc(sizeof(char)*nametmp.length);
                        snprintf(nametmp.value, nametmp.length, 
"HTTP@%s",hostname);

Note that for this to work, one also has to set 

dns_canonicalize_hostname = false

in /etc/krb5.conf because otherwise the krb5 library will try to do hostname 
canonicalization as well. So I think there should either be a way to set the 
name of the service principal using a method, or hostname canonicalization 
should be disabled in the krb5 library as above, or it should be possible to 
turn it off with a flag. I would be happy to contribute a patch depending on 
what you prefer. Thanks for this great piece of software,

Christian

Test script:
---------------
see above



------------------------------------------------------------------------



--
Edit this bug report at https://bugs.php.net/bug.php?id=74636&edit=1

-- 
PECL development discussion Mailing List (http://pecl.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to