Hide Forgot
+++ This bug was initially created as a clone of Bug #687975 +++ Created attachment 485608 [details] Move credential cache destruction to the destruction of the CONNECTION not the REQUEST Description of problem: mod_auth_kerb using krb5passwd and keepalive and credential delegation loses delegation after first request on connection Version-Release number of selected component (if applicable): mod_auth_kerb-5.4-5.1.fc14 How reproducible: Tricky to reproduce since it requires multiple connections to a Kerberos password protected space using a compatible web browser with keep-alive enabled Steps to Reproduce: 1. Set up Kerberos authentication: <Location /private> SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate Off KrbMethodK5Passwd On KrbSaveCredentials On KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/krb5-apache.keytab require valid-user </Location> 2. Set up your web browser to support Keberos Auth with delegation http://www.grolmsnet.de/kerbtut/firefox.html (Note that the link doesn't include setting up delegation; set network.negotiate-auth.delegation-uris to be the same as trusted-uris) 3. Create a CGI script which checks $KRB5CCNAME and $REMOTE_USER http://modauthkerb.sourceforge.net/credential-cache-example.script 4. Turn on keep-alive 5. Start the web server 6. Reload a lot Actual results: Requests on the kept-alive connection, after the first one, will not have a valid $KRB5CCNAME environment variable Expected results: Every request should have correct credentials Additional info: See attached patch for fix.
Created attachment 485803 [details] Move credential cache destruction to the destruction of the CONNECTION not the REQUEST Move credential cache destruction to the destruction of the CONNECTION not the REQUEST; also store the path to the credential cache.
Ben, when Joe has a patched mod-auth-krb, can you test in your environment?
Yes. I have a fairly complete test environment. (I can test with keep-alive on and off, and with Negotiate and with passwords only.)
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative.
Created attachment 522349 [details] Updated patch by mgbowman to solve resource leak mgbowman found a resource leak in the previous patch here: https://sourceforge.net/tracker/index.php?func=detail&aid=2818141&group_id=51775&atid=464524 This is the corrected patch.
Created attachment 565338 [details] Fix a missing fclose call; was in original patch The patch here before was missing a line from the original: http://sourceforge.net/tracker/index.php?func=detail&aid=2818141&group_id=51775&atid=464524 I'm not sure how that line got dropped. Looking at the logic, a stat /would/ be more appropriate.
I've switched it to an apr_stat() call.
I have tested this package and verified that the behavior is correct using both Negotiate and Basic Authentication via mod_auth_kerb. The credential cache is kept around for the life of the keep-alive connection, and then destroyed.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Due to a bug in the handling of memory lifetime when the module was configured to allow delegated credentials, the $KRB5CCNAME variable would be lost after the first request of an authenticated connection, causing web applications which relied on the presence of delegated credentials to fail. The memory lifetime handling has been fixed, allowing such web applications to access delegated credentials.
Hmm... I think that note should be rewritten to make it clearer how the Apache options conflicted. New Contents: The KrbSaveCredentials option, used primarily for delegated credentials, did not work correctly with Keep-Alive connections. Although the first request of an authenticated connection would have access to the $KRB5CCNAME variable, subsequent requests on the same connection would not. Credential storage has been moved from the request handler to the connection handler to fix the bug.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -Due to a bug in the handling of memory lifetime when the module was configured to allow delegated credentials, the $KRB5CCNAME variable would be lost after the first request of an authenticated connection, causing web applications which relied on the presence of delegated credentials to fail. The memory lifetime handling has been fixed, allowing such web applications to access delegated credentials.+The KrbSaveCredentials option, used primarily for delegated credentials, did not work correctly with Keep-Alive connections. Although the first request of an authenticated connection would have access to the $KRB5CCNAME variable, subsequent requests on the same connection would not. Credential storage has been moved from the request handler to the connection handler to fix the bug.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0877.html