#1 - Tom Parker 2010-02-16 21:52 - (Reply)
Thanks! This is exactly what I have been looking for. I still need to figure out Firefox 3.6 and Negotiate but until I do I can fall back to prompting for a password over an SSL connection.
Thanks again!
Tom
#1.1 - Moritz Bechler 2010-02-19 13:28 - (Reply)
For configuring Firefox to do negotiate authentication see my prior blog posting http://mbechler.eenterphace.org/blog/index.php?/archives/6-Doing-GSSNegotiate-SSO-using-Mozilla-Firefox,-MIT-Kerberos-and-PHP.html
this applies to all recent versions of Firefox.
#2 - Tom Parker 2010-04-04 03:58 - (Reply)
Hi Again.
I was able to get your module working while prompting users to enter their username and password and then doing:
[geshi lang=php]
$ccache = new KRB5CCache();
$flags = array(
"forwardable" => true,
"tkt_life" => 60 * 60
);
$ccache->initPassword("user@REALM", "password", $flags);
[/lang]
however I have never been able to get Negotiate to work. It just silently does nothing. I am working on this again now that I have some more time and I think there is an issue with your module and the new release of kerberos 1.8
I haven't written any code in years so I am having trouble tracking this down.
I get /usr/sbin/httpd2-prefork: symbol lookup error: /usr/lib64/php5/extensions/krb5.so: undefined symbol: krb5_random_confounder now every time I try to call your module.
Let me know what information you would need to track this down. I would love to see your module included in the default php release for OpenSuSE and SLESS
#2.1 - Moritz Bechler 2010-04-04 17:06 - (Reply)
Thanks for the hint to krb-1.8, the random confounder function was deprecated for some time and is not exported anymore. Also the detection whether krb5_cc_new_unique is available seems to fail. I'm a litte short of time right now but might be able to fix this by the end of the week.
For Negotiate auth, have you tried the spnego.php example included in the distribution?
Also if you are using the (F)CGI APIs the authentication headers will never hit the PHP interpreter by default (for security reasons). The common way to bypass this in apache is to add rewrite rule like
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#2.1.1 - Tom Parker 2010-04-05 03:22 - (Reply)
Thanks for the quick reply. I just found some of the mailing list posts where they talk about deprecating krb5_random_confounder and several other functions as well.
For the Negotiate Authentication, I am using PHP in Apache with mod_php so as I understand that is not being run as an external CGI. Even so the HTTP_AUTHORIZATION header still does not seem to be getting through to your code. In my php code have to call $headers = apache_request_headers() and then reference $headers['Authorization'] to see the Authorization header.
I was going to try to write my own NegotaiteAuth function using your GSSAPI code but I haven't looked closely enough at it to see if I can. This is pretty new to me still and I don't completely understand the GSSAPI mechanism. More Google time is needed.
With your mod_rewrite rule and KRB5NegotateAuth function the server never seems to send a 401 Authentication Required header back to the client. I have rewritten the rule to only match on Negotiate Auth as follows and that seems to get further in the authentication sequence.
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(Negotiate.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
When I look at my local credential cache after firefox connects to the server i have an HTTP/f.q.d.n/@REALM ticket for the correct server so that part seems to be working. Negotiate auth is also working for the same server under a different directory with mod_auth_kerb so I know firefox works.
I will keep checking back here for comments and updates from you.
Thanks once again for this great module. Once I can get it working on our systems it will simplify our lives dramatically (and mean that our users will actually HAVE to change their passwords periodically because I can enforce it centrally for all systems no matter where they sit.)
#2.1.2 - Tom Parker 2010-04-05 03:38 - (Reply)
With the ModRewrite rule in my previous comment and your spnego.php example code I get the following in my apache error_log.
ALERT - canary mismatch on efree() - heap overflow detected (attacker '', file '/wwwroot/krb5/spnego.php', line 9)
#3 - Dennis Rieks said:
2010-04-09 17:08 - (Reply)
Hi,
we had some problems using php_krb5 on SuSE Linux Enterprise Server 10, SuSE Linux Enterprise Server 11, OpenSuSE 11.1
First, we are using 64 bit Systems and configure can't find the krb5-devel headers
fix: change $DIRECTORY/lib/ to $DIRECTORY/lib64/ in configure (4 places)
on SuSE Entrprise Server 10 and OpenSuSE 11.1, we had to change #include to #include
there is also a crash, negotiate_auth.c line 252: efree(input_token)
we need to comment this line out, otherwise the lighttpd fastcgi modul will crash. is this a memoryleak?
Do you have an newer version of php_krb5 then 1.0rc1?
do you need more infomation to reproduce this bug?
thank you,
Dennis Rieks
#3.1 - Moritz Bechler 2010-04-09 17:39 - (Reply)
Thanks for the reports.
I'm planning to release a new version this weekend as there are some more issues that need to be addressed.
Unforunately the arguments to #include which you needed to change were stripped by the blog software, could you provide them again?
#4 - Dennis Rieks 2010-04-09 19:44 - (Reply)
Hi,
thx for the quick response and great to hear you have an update in the pipeline!
In the files from the bundle (admin.h & kadm_err.h) we had to change the include for com_err.h to et/com_err.h (it worked fine for SLES11 though). Maybe you could put a note in the readme.
Dennis
© 2013 Moritz Bechler | Back to top
Design by Andreas Viklund | Serendipity Template by Carl