Edit report at https://bugs.php.net/bug.php?id=74636&edit=1
ID: 74636
User updated by: chanlists at googlemail dot com
Reported by: chanlists at googlemail dot com
Summary: [krb5] negotiate auth broken for vhosts because of
hostname canonicalization
Status: Assigned
Type: Bug
Package: PECL
Operating System: debian 8
PHP Version: 5.6.30
Assigned To: mbechler
Block user comment: N
Private report: N
New Comment:
I would actually prefer to be able to set the service principle using a method
that changes a property, and use the current behavior as the default method....
Previous Comments:
------------------------------------------------------------------------
[2017-05-23 09:29:22] [email protected]
This sounds like something that should be controlled by an INI setting.
------------------------------------------------------------------------
[2017-05-23 09:09:04] chanlists at googlemail dot com
Description:
------------
Suppose we are using a virtual host in apache where the name of the virtual
host name <vhost> is a cname for the actual hostname <hostname>. In this case,
the web browser will present a service ticket for HTTP/<vhost>, but the krb5
package will set the service principal to HTTP/<hostname> because of the use of
gethostbyname() in the KRB5NegotiateAuth constructor. This will not work. If I
modify the constructor as follows, it works:
server_name = zend_compat_hash_find(HASH_OF(server),
"SERVER_NAME", sizeof("SERVER_NAME"));
if ( server_name != NULL ) {
char *hostname = Z_STRVAL_P(server_name);
// struct hostent* host = gethostbyname(hostname);
// if(!host) {
// zend_throw_exception(NULL, "Failed to get
server FQDN - Lookup failure", 0 TSRMLS_CC);
// return;
//}
nametmp.length = strlen(hostname) + 6;
nametmp.value = emalloc(sizeof(char)*nametmp.length);
snprintf(nametmp.value, nametmp.length,
"HTTP@%s",hostname);
Note that for this to work, one also has to set
dns_canonicalize_hostname = false
in /etc/krb5.conf because otherwise the krb5 library will try to do hostname
canonicalization as well. So I think there should either be a way to set the
name of the service principal using a method, or hostname canonicalization
should be disabled in the krb5 library as above, or it should be possible to
turn it off with a flag. I would be happy to contribute a patch depending on
what you prefer. Thanks for this great piece of software,
Christian
Test script:
---------------
see above
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=74636&edit=1
--
PECL development discussion Mailing List (http://pecl.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
