Package: libapache2-mod-auth-kerb Version: 5.3-5 Severity: normal Tags: patch
When using kerberos authentication for https, the kerberos module adds WWW-Authenticate lines 2 times (the same configuration without https is OK). I.e., in the response to simple request (without any auth info), server replies with: HTTP/1.1 401 Authorization Required Date: Wed, 27 Aug 2008 21:43:44 GMT Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 DAV/2 SVN/1.5.1 PHP/5.2.0-8+etch11 mod_ruby/1.2.6 Ruby/1.8.5(2006-08-25) mod_ssl/2.2.9 OpenSSL/0.9.8c WWW-Authenticate: Negotiate WWW-Authenticate: Basic realm="OKTET Labs private webspace" WWW-Authenticate: Negotiate WWW-Authenticate: Basic realm="OKTET Labs private webspace" Content-Length: 731 Content-Type: text/html; charset=iso-8859-1 As you see, WWW-Authenticate headers are repeated twice. It is easy to see this effect in any browser which can show http headers. Such behaviour makes curl crazy (I have patched curl to print more details): bash$ curl -vvv --max-redirs 2 --negotiate -u : https://oktetlabs.ru * About to connect() to oktetlabs.ru port 443 (#0) * Trying 192.168.38.1... connected * Connected to oktetlabs.ru (192.168.38.1) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: /C=RU/ST=Saint Petersburg/O=OKTET Labs/CN=oktetlabs.ru/[EMAIL PROTECTED] * start date: 2008-05-13 19:12:13 GMT * expire date: 2011-02-07 19:12:13 GMT * subjectAltName: oktetlabs.ru matched * issuer: /C=RU/ST=Saint Petersburg/L=St.Petergof/O=OKTET Labs/CN=OKTET Labs Root CA/[EMAIL PROTECTED] * SSL certificate verify ok. > GET / HTTP/1.1 > User-Agent: curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g > zlib/1.2.3.3 libidn/1.8 libssh2/0.18 > Host: oktetlabs.ru > Accept: */* > < HTTP/1.1 401 Authorization Required < Date: Wed, 27 Aug 2008 21:43:44 GMT < Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 DAV/2 SVN/1.5.1 PHP/5.2.0-8+etch11 mod_ruby/1.2.6 Ruby/1.8.5(2006-08-25) mod_ssl/2.2.9 OpenSSL/0.9.8c * Curl_input_negotiate() < WWW-Authenticate: Negotiate < WWW-Authenticate: Basic realm="OKTET Labs private webspace" * Curl_input_negotiate() * gss complete * GSS Authentication problem. Ignoring this. < WWW-Authenticate: Negotiate < WWW-Authenticate: Basic realm="OKTET Labs private webspace" < Content-Length: 731 < Content-Type: text/html; charset=iso-8859-1 < * Ignoring the response-body * Connection #0 to host oktetlabs.ru left intact * Issue another request to this URL: 'https://oktetlabs.ru' * Re-using existing connection! (#0) with host oktetlabs.ru * Connected to oktetlabs.ru (192.168.38.1) port 443 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g > zlib/1.2.3.3 libidn/1.8 libssh2/0.18 > Host: oktetlabs.ru > Accept: */* > < HTTP/1.1 401 Authorization Required Possibly, it is curl bug, but it is not easy (at least for me) to fix it. However, I have 3-lines patch for mod_kerb apache module (attached). Thank you for your work on the package, Alexandra. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (900, 'testing'), (50, 'experimental'), (50, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.25-2-amd64 (SMP w/2 CPU cores) Locale: LANG=, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libapache2-mod-auth-kerb depends on: ii apache2.2-common 2.2.9-7 Apache HTTP Server common files ii krb5-config 1.21 Configuration files for Kerberos V ii libc6 2.7-13 GNU C Library: Shared libraries ii libcomerr2 1.41.0-3 common error description library ii libkrb53 1.6.dfsg.4~beta1-3 MIT Kerberos runtime libraries libapache2-mod-auth-kerb recommends no packages. libapache2-mod-auth-kerb suggests no packages. -- no debconf information -- Alexandra N. Kossovsky OKTET Labs (http://www.oktetlabs.ru/) Phones: +7(921)956-42-86(mobile) +7(812)783-21-91(office) e-mail: [EMAIL PROTECTED]
--- libapache-mod-auth-kerb-5.3.orig/src/mod_auth_kerb.c 2008-08-28 01:13:29.000000000 +0400 +++ libapache-mod-auth-kerb-5.3.orig/src/mod_auth_kerb.c 2008-08-28 01:54:04.000000000 +0400 @@ -1533,6 +1533,10 @@ const char *header_name = (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authenticate" : "WWW-Authenticate"; + /* No need to put headers twice */ + if (!ap_is_initial_req(r)) + return; + /* get the user realm specified in .htaccess */ auth_name = ap_auth_name(r);