Package: libapache2-mod-auth-kerb
Version: 5.4-2.2
Severity: normal
Let's assume the following sample VirtualHost configuration.
<VirtualHost *:80>
ServerName testwww.foo.bar
ServerAdmin webmaster@localhost
DocumentRoot /home/apache/http_root/testwww/public
<Directory /home/apache/http_root/testwww>
AuthType Kerberos
AuthName "Please login to proceed"
KrbAuthRealms FOO.BAR
KrbServiceName HTTP
Krb5Keytab /etc/apache2/apache.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbLocalUserMapping On
Require valid-user
</Directory>
</VirtualHost>
When web browser uses "negotiate" authentication method, everything
works fine. But when apache tries to perform "K5Passwd" method via
acquiring plain login and password from user, the auth_kerb module reads
incorrect keytab.
It should use "Krb5Keytab" file defined in config. In my example it is
"/etc/apache2/apache.keytab". But in fact the module reads the system
default keytab instead. Usually it is placed in "/etc/krb5.keytab".
So, mod_auth_kerb ignores the directive "Krb5Keytab" while checking
against plain login and password, provided by user. Thus, in the case
when apache configured keytab differs from the system default keytab,
the same user on the same machine in the same time successfully signs in
via SPNEGO and fails to authenticate via login and password. I beleive
this is a bug.
-- System Information:
Debian Release: 8.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libapache2-mod-auth-kerb depends on:
ii apache2-bin [apache2-api-20120211] 2.4.10-10+deb8u3
ii krb5-config 2.3
ii libc6 2.19-18+deb8u1
ii libcomerr2 1.42.12-1.1
ii libgssapi-krb5-2 1.12.1+dfsg-19
ii libk5crypto3 1.12.1+dfsg-19
ii libkrb5-3 1.12.1+dfsg-19
libapache2-mod-auth-kerb recommends no packages.
libapache2-mod-auth-kerb suggests no packages.
-- no debconf information
