Bug 688210
| Summary: | mod_auth_kerb using krb5passwd and keepalive and credential delegation loses delegation after first request on connection | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Benjamin Kahn <bkahn> |
| Component: | mod_auth_kerb | Assignee: | Joe Orton <jorton> |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | CC: | ddumas, jorton, ksrot, syeghiay |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
The KrbSaveCredentials option, used primarily for delegated credentials, did not work correctly with Keep-Alive connections. Although the first request of an authenticated connection would have access to the $KRB5CCNAME variable, subsequent requests on the same connection would not. Credential storage has been moved from the request handler to the connection handler to fix the bug.
|
Story Points: | --- |
| Clone Of: | 687975 | Environment: | |
| Last Closed: | 2012-06-20 14:04:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 687975 | ||
| Bug Blocks: | |||
| Attachments: | |||
|
Description
Benjamin Kahn
2011-03-16 15:04:43 UTC
Created attachment 485803 [details]
Move credential cache destruction to the destruction of the CONNECTION not the REQUEST
Move credential cache destruction to the destruction of the CONNECTION not the REQUEST; also store the path to the credential cache.
Ben, when Joe has a patched mod-auth-krb, can you test in your environment? Yes. I have a fairly complete test environment. (I can test with keep-alive on and off, and with Negotiate and with passwords only.) This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. Created attachment 522349 [details] Updated patch by mgbowman to solve resource leak mgbowman found a resource leak in the previous patch here: https://sourceforge.net/tracker/index.php?func=detail&aid=2818141&group_id=51775&atid=464524 This is the corrected patch. Created attachment 565338 [details] Fix a missing fclose call; was in original patch The patch here before was missing a line from the original: http://sourceforge.net/tracker/index.php?func=detail&aid=2818141&group_id=51775&atid=464524 I'm not sure how that line got dropped. Looking at the logic, a stat /would/ be more appropriate. I've switched it to an apr_stat() call. I have tested this package and verified that the behavior is correct using both Negotiate and Basic Authentication via mod_auth_kerb. The credential cache is kept around for the life of the keep-alive connection, and then destroyed.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Due to a bug in the handling of memory lifetime when the module was configured to allow delegated credentials, the $KRB5CCNAME variable would be lost after the first request of an authenticated connection, causing web applications which relied on the presence of delegated credentials to fail. The memory lifetime handling has been fixed, allowing such web applications to access delegated credentials.
Hmm... I think that note should be rewritten to make it clearer how the Apache options conflicted. New Contents: The KrbSaveCredentials option, used primarily for delegated credentials, did not work correctly with Keep-Alive connections. Although the first request of an authenticated connection would have access to the $KRB5CCNAME variable, subsequent requests on the same connection would not. Credential storage has been moved from the request handler to the connection handler to fix the bug.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1 +1 @@
-Due to a bug in the handling of memory lifetime when the module was configured to allow delegated credentials, the $KRB5CCNAME variable would be lost after the first request of an authenticated connection, causing web applications which relied on the presence of delegated credentials to fail. The memory lifetime handling has been fixed, allowing such web applications to access delegated credentials.+The KrbSaveCredentials option, used primarily for delegated credentials, did not work correctly with Keep-Alive connections. Although the first request of an authenticated connection would have access to the $KRB5CCNAME variable, subsequent requests on the same connection would not. Credential storage has been moved from the request handler to the connection handler to fix the bug.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0877.html |