688210 – mod_auth_kerb using krb5passwd and keepalive and credential delegation loses delegation after first request on connection

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 688210 - mod_auth_kerb using krb5passwd and keepalive and credential delegation loses delegation after first request on connection

Summary: mod_auth_kerb using krb5passwd and keepalive and credential delegation loses ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	mod_auth_kerb
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Joe Orton
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	687975
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-16 15:04 UTC by Benjamin Kahn
Modified:	2012-10-12 09:05 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	The KrbSaveCredentials option, used primarily for delegated credentials, did not work correctly with Keep-Alive connections. Although the first request of an authenticated connection would have access to the $KRB5CCNAME variable, subsequent requests on the same connection would not. Credential storage has been moved from the request handler to the connection handler to fix the bug.
Clone Of:	687975
Environment:
Last Closed:	2012-06-20 14:04:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Move credential cache destruction to the destruction of the CONNECTION not the REQUEST (1.39 KB, patch) 2011-03-16 17:52 UTC, Benjamin Kahn	no flags	Details \| Diff
Updated patch by mgbowman to solve resource leak (2.31 KB, patch) 2011-09-09 14:53 UTC, Benjamin Kahn	no flags	Details \| Diff
Fix a missing fclose call; was in original patch (2.25 KB, patch) 2012-02-23 17:00 UTC, Benjamin Kahn	no flags	Details \| Diff
Show Obsolete (2) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0877	0	normal	SHIPPED_LIVE	mod_auth_kerb bug fix and enhancement update	2012-06-19 20:47:44 UTC

Description Benjamin Kahn 2011-03-16 15:04:43 UTC

+++ This bug was initially created as a clone of Bug #687975 +++

Created attachment 485608 [details]
Move credential cache destruction to the destruction of the CONNECTION not the REQUEST

Description of problem:
mod_auth_kerb using krb5passwd and keepalive and credential delegation loses delegation after first request on connection

Version-Release number of selected component (if applicable):
mod_auth_kerb-5.4-5.1.fc14

How reproducible:
Tricky to reproduce since it requires multiple connections to a Kerberos password protected space using a compatible web browser with keep-alive enabled

Steps to Reproduce:
1. Set up Kerberos authentication:

<Location /private>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate Off
  KrbMethodK5Passwd On
  KrbSaveCredentials On
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/krb5-apache.keytab
  require valid-user
</Location>

2. Set up your web browser to support Keberos Auth with delegation

http://www.grolmsnet.de/kerbtut/firefox.html
(Note that the link doesn't include setting up delegation; set network.negotiate-auth.delegation-uris to be the same as trusted-uris)

3. Create a CGI script which checks $KRB5CCNAME and $REMOTE_USER

http://modauthkerb.sourceforge.net/credential-cache-example.script

4. Turn on keep-alive
  
5. Start the web server

6. Reload a lot

Actual results:
Requests on the kept-alive connection, after the first one, will not have a valid $KRB5CCNAME environment variable

Expected results:
Every request should have correct credentials

Additional info:
See attached patch for fix.

Comment 2 Benjamin Kahn 2011-03-16 17:52:45 UTC

Created attachment 485803 [details]
Move credential cache destruction to the destruction of the CONNECTION not the REQUEST

Move credential cache destruction to the destruction of the CONNECTION not the REQUEST; also store the path to the credential cache.

Comment 3 Denise Dumas 2011-03-18 13:23:30 UTC

Ben, when Joe has a patched mod-auth-krb, can you test in your environment?

Comment 4 Benjamin Kahn 2011-03-18 14:32:24 UTC

Yes.  I have a fairly complete test environment.

(I can test with keep-alive on and off, and with Negotiate and with passwords only.)

Comment 5 RHEL Program Management 2011-07-06 01:37:16 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 10 RHEL Program Management 2011-08-19 18:08:40 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 11 Benjamin Kahn 2011-09-09 14:53:58 UTC

Created attachment 522349 [details]
Updated patch by mgbowman to solve resource leak

mgbowman found a resource leak in the previous patch here:
https://sourceforge.net/tracker/index.php?func=detail&aid=2818141&group_id=51775&atid=464524

This is the corrected patch.

Comment 17 Benjamin Kahn 2012-02-23 17:00:56 UTC

Created attachment 565338 [details]
Fix a missing fclose call; was in original patch

The patch here before was missing a line from the original: http://sourceforge.net/tracker/index.php?func=detail&aid=2818141&group_id=51775&atid=464524

I'm not sure how that line got dropped. Looking at the logic, a stat /would/ be more appropriate.

Comment 18 Joe Orton 2012-03-06 15:13:59 UTC

I've switched it to an apr_stat() call.

Comment 22 Benjamin Kahn 2012-04-26 19:00:39 UTC

I have tested this package and verified that the behavior is correct using both Negotiate and Basic Authentication via mod_auth_kerb.  The credential cache is kept around for the life of the keep-alive connection, and then destroyed.

Comment 24 Joe Orton 2012-05-01 09:54:41 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Due to a bug in the handling of memory lifetime when the module was configured to allow delegated credentials, the $KRB5CCNAME variable would be lost after the first request of an authenticated connection, causing web applications which relied on the presence of delegated credentials to fail.  The memory lifetime handling has been fixed, allowing such web applications to access delegated credentials.

Comment 25 Benjamin Kahn 2012-05-01 14:55:48 UTC

Hmm... I think that note should be rewritten to make it clearer how the Apache options conflicted.

New Contents:
The KrbSaveCredentials option, used primarily for delegated credentials, did not work correctly with Keep-Alive connections. Although the first request of an authenticated connection would have access to the $KRB5CCNAME variable, subsequent requests on the same connection would not. Credential storage has been moved from the request handler to the connection handler to fix the bug.

Comment 26 Benjamin Kahn 2012-05-01 14:55:49 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-Due to a bug in the handling of memory lifetime when the module was configured to allow delegated credentials, the $KRB5CCNAME variable would be lost after the first request of an authenticated connection, causing web applications which relied on the presence of delegated credentials to fail.  The memory lifetime handling has been fixed, allowing such web applications to access delegated credentials.+The KrbSaveCredentials option, used primarily for delegated credentials, did not work correctly with Keep-Alive connections. Although the first request of an authenticated connection would have access to the $KRB5CCNAME variable, subsequent requests on the same connection would not. Credential storage has been moved from the request handler to the connection handler to fix the bug.

Comment 28 errata-xmlrpc 2012-06-20 14:04:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0877.html

Note You need to log in before you can comment on or make changes to this bug.