--- libapache-mod-auth-kerb-5.4.orig/debian/rules +++ libapache-mod-auth-kerb-5.4/debian/rules @@ -0,0 +1,102 @@ +#!/usr/bin/make -f + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + + +# These are used for cross-compiling and for saving the configure script +# from having to guess our platform (since we know it already) +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + + +include /usr/share/quilt/quilt.make + +CFLAGS = -Wall -g + +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + INSTALL_PROGRAM += -s +endif + +## -------- BUILD TARGETS + +build: build-stamp + +build-stamp: patch + dh_testdir + touch build-stamp + + +## -------- BUILD TARGETS +build-apache20: + dh_testdir + #-$(MAKE) clean + [ ! -f Makefile ] || $(MAKE) clean + autoconf + ./configure --without-krb4 APXS=/usr/bin/apxs2 --with-apache=/usr/bin/apache2 + make + +## -------- INSTALL TARGETS +apache20: build-apache20 + mkdir -p $(CURDIR)/debian/libapache2-mod-auth-kerb/usr/lib/apache2/modules/ \ + $(CURDIR)/debian/libapache2-mod-auth-kerb/usr/share/doc/libapache2-mod-auth-kerb \ + $(CURDIR)/debian/libapache2-mod-auth-kerb/etc/apache2/mods-available + install -s -m 644 $(CURDIR)/src/.libs/mod_auth_kerb.so $(CURDIR)/debian/libapache2-mod-auth-kerb/usr/lib/apache2/modules/mod_auth_kerb.so + install $(CURDIR)/src/.libs/mod_auth_kerb.so $(CURDIR)/debian/libapache2-mod-auth-kerb/usr/lib/apache2/modules/mod_auth_kerb.so + install -m644 $(CURDIR)/debian/auth_kerb.load $(CURDIR)/debian/libapache2-mod-auth-kerb/etc/apache2/mods-available + install -m 644 $(CURDIR)/README \ + $(CURDIR)/debian/libapache2-mod-auth-kerb/usr/share/doc/libapache2-mod-auth-kerb/ + +## -------- CLEAN TARGETS + +clean: unpatch + dh_testdir + dh_testroot + rm -f build-stamp + rm -f config.log config.status + + #-$(MAKE) clean + [ ! -f Makefile ] || $(MAKE) clean +ifneq "$(wildcard /usr/share/misc/config.sub)" "" + rm -f config.sub +endif +ifneq "$(wildcard /usr/share/misc/config.guess)" "" + rm -f config.guess +endif + rm -fr src/.libs spnegokrb5/.libs + rm -f debian/files + dh_clean -k + +## -------- INSTALL TARGETS + +install: install-stamp +intall-stamp: + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + +# Build architecture-independent files here. +binary-indep: +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build apache20 + dh_testdir -a + dh_testroot -a + dh_installchangelogs + dh_installdocs + dh_installexamples + dh_installman + dh_link + dh_strip + dh_compress + dh_fixperms + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-arch binary-indep +.PHONY: binary-indep binary-arch build-apache20 binary install patch unpatch --- libapache-mod-auth-kerb-5.4.orig/debian/control +++ libapache-mod-auth-kerb-5.4/debian/control @@ -0,0 +1,25 @@ +Source: libapache-mod-auth-kerb +Section: net +Priority: optional +Maintainer: Ghe Rivero +Build-Depends: debhelper (>= 4), autotools-dev, libkrb5-dev (>= 1.4.0), autoconf, apache2-threaded-dev (>= 2.2.3), quilt +Standards-Version: 3.7.3 + +Package: libapache-mod-auth-kerb +Architecture: any +Depends: libapache2-mod-auth-kerb +Description: apache module for Kerberos authentication + An apache module for authenticating users in a Kerberos realm. + It supports basic user and password authentication or a + negotiate auth based on Kerberos tickets. + . + Dummy transantional package to apache 2 + +Package: libapache2-mod-auth-kerb +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, apache2.2-common, krb5-config +Description: apache2 module for Kerberos authentication + An apache2 module for authenticating users in a Kerberos realm. + It supports basic user and password authentication or a + negotiate auth based on Kerberos tickets. + . --- libapache-mod-auth-kerb-5.4.orig/debian/libapache2-mod-auth-kerb.docs +++ libapache-mod-auth-kerb-5.4/debian/libapache2-mod-auth-kerb.docs @@ -0,0 +1 @@ +debian/README.Debian --- libapache-mod-auth-kerb-5.4.orig/debian/libapache2-mod-auth-kerb.postinst +++ libapache-mod-auth-kerb-5.4/debian/libapache2-mod-auth-kerb.postinst @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +#DEBHELPER# +if [ "$1" = "configure" ]; then + a2enmod auth_kerb || true +fi + +exit 0 + --- libapache-mod-auth-kerb-5.4.orig/debian/auth_kerb.load +++ libapache-mod-auth-kerb-5.4/debian/auth_kerb.load @@ -0,0 +1 @@ +LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so --- libapache-mod-auth-kerb-5.4.orig/debian/README.Debian +++ libapache-mod-auth-kerb-5.4/debian/README.Debian @@ -0,0 +1,6 @@ +libapache-mod-auth-kerb for Debian +---------------------------------- + + Support is finally included on Firefox and Konqueror. + + -- Ghe Rivero , Tue, 22 Nov 2005 17:41:00 +0100 --- libapache-mod-auth-kerb-5.4.orig/debian/htaccess_sample +++ libapache-mod-auth-kerb-5.4/debian/htaccess_sample @@ -0,0 +1,5 @@ +AuthType Kerberos +AuthName "Kerberos Login" +KrbAuthRealms YOUR_REALM +require valid-user +Krb5Keytab /etc/apache-ssl/krb5.keytab --- libapache-mod-auth-kerb-5.4.orig/debian/libapache-mod-auth-kerb.docs +++ libapache-mod-auth-kerb-5.4/debian/libapache-mod-auth-kerb.docs @@ -0,0 +1 @@ +debian/README.Debian --- libapache-mod-auth-kerb-5.4.orig/debian/watch +++ libapache-mod-auth-kerb-5.4/debian/watch @@ -0,0 +1,3 @@ +version=3 +opts=dversionmangle=s/4\.996\-// \ +http://sf.net/modauthkerb/mod_auth_kerb-([\d.]*).tar.gz debian uupdate --- libapache-mod-auth-kerb-5.4.orig/debian/500mod_auth_kerb.info +++ libapache-mod-auth-kerb-5.4/debian/500mod_auth_kerb.info @@ -0,0 +1,13 @@ +LoadModule: auth_kerb_module /usr/lib/apache/1.3/mod_auth_kerb.so +Directives: + KrbMethodNegotiate + KrbMethodK5Passwd + KrbMethodK4Passwd + KrbAuthoritative + KrbAuthRealms + KrbVerifyKDC + KrbServiceName + Krb4Srvtab + Krb5Keytab + KrbSaveCredentials +Description: Support for Kerberos authentication --- libapache-mod-auth-kerb-5.4.orig/debian/libapache-mod-auth-kerb.postinst +++ libapache-mod-auth-kerb-5.4/debian/libapache-mod-auth-kerb.postinst @@ -0,0 +1,13 @@ +#!/bin/sh + +set -e + +for i in apache apache-ssl apache-perl; do + if [ -e /etc/$i/httpd.conf ]; then + modules-config $i enable mod_auth_kerb + fi +done + +#DEBHELPER# + +exit 0 --- libapache-mod-auth-kerb-5.4.orig/debian/compat +++ libapache-mod-auth-kerb-5.4/debian/compat @@ -0,0 +1 @@ +4 --- libapache-mod-auth-kerb-5.4.orig/debian/libapache2-mod-auth-kerb.prerm +++ libapache-mod-auth-kerb-5.4/debian/libapache2-mod-auth-kerb.prerm @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +#DEBHELPER# + +if [ "$1" = "remove" ]; then + a2dismod auth_kerb || true + fi + +exit 0 --- libapache-mod-auth-kerb-5.4.orig/debian/changelog +++ libapache-mod-auth-kerb-5.4/debian/changelog @@ -0,0 +1,164 @@ +libapache-mod-auth-kerb (5.4-1) unstable; urgency=low + + * New upstream release + + -- Ghe Rivero Mon, 15 Mar 2010 08:50:07 +0100 + +libapache-mod-auth-kerb (5.3-5) unstable; urgency=low + + * Migrate patches to quilt + * Added patch gssapi_delegation (Closes: #480097) + * Added patch krb_append_realm + + -- Ghe Rivero Thu, 08 May 2008 09:22:42 +0200 + +libapache-mod-auth-kerb (5.3-4) unstable; urgency=low + + * Some lintian cleans: + - build-depends-on-1-revision + + -- Ghe Rivero Tue, 19 Feb 2008 12:08:38 +0100 + +libapache-mod-auth-kerb (5.3-3) experimental; urgency=low + + * Added patch auth_to_local (no @REALM necessary) + + -- Ghe Rivero Mon, 11 Feb 2008 08:37:27 +0100 + +libapache-mod-auth-kerb (5.3-2) unstable; urgency=low + + * watch file working again. (Closes: #453603) + * clean lintian error: debian package revision + * clean lintian error: make clean rules + + -- Ghe Rivero Fri, 1 Feb 2008 17:59:18 +0100 + +libapache-mod-auth-kerb (5.3-1.4) unstable; urgency=low + + * Added patch gssapi_any (Closes: #460958) by Russ Allbery + * Updated to 3.7.3 Debian Policy + * Removed homapage from package Description + * Changed Section from web to net + + -- Ghe Rivero Wed, 16 Jan 2008 08:51:16 +0100 + +libapache-mod-auth-kerb (5.3-1.3) unstable; urgency=low + + * Remove apache1.x support (Closes: #429125) + + -- Ghe Rivero Sun, 17 Jun 2007 12:36:00 +0200 + +libapache-mod-auth-kerb (5.3-1.2) unstable; urgency=low + + * Applied patch from ubuntu to remove bashisms (Closes: #376550) + + -- Ghe Rivero Fri, 25 May 2007 18:24:11 +0200 + +libapache-mod-auth-kerb (5.3-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Remove check on krb5_init_context() in configure script, it does also work + without it (Closes: #423785). + + -- Mario Iseli Fri, 18 May 2007 18:58:21 +0200 + +libapache-mod-auth-kerb (5.3-1) unstable; urgency=high + + * New upstream release + * Fixes posible heap-based buffer overflow. CVE-2006-5989 + + -- Ghe Rivero Wed, 22 Nov 2006 16:16:35 +0100 + +libapache-mod-auth-kerb (5.2-1) unstable; urgency=low + + * New upstream release + * 03rcache.dpatch disabled. (Included upstream) + + -- Ghe Rivero Mon, 6 Nov 2006 21:13:40 +0100 + +libapache-mod-auth-kerb (5.1-2) unstable; urgency=high + + * 03rcache.dpatch (Closes: #395931, #396669) + + -- Ghe Rivero Thu, 2 Nov 2006 23:02:22 +0100 + +libapache-mod-auth-kerb (5.1-1) unstable; urgency=medium + + * New upstream release + * New maintaner e-mail (Finally DD!) + + -- Ghe Rivero Fri, 20 Oct 2006 01:43:38 +0200 + +libapache-mod-auth-kerb (4.996-5.0-rc7-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Update for apache 2.2 (Closes: #391760). + * Tighten build depends on libkrb5-dev (Closes: #389936). + + -- Luk Claes Mon, 16 Oct 2006 21:47:56 +0200 + +libapache-mod-auth-kerb (4.996-5.0-rc7-1) unstable; urgency=low + + * New upstream release + * Updated Policy Version to 3.7.2 + * Added autotools-dev as build-dependency + * Added homepage to descriptions + + -- Ghe Rivero Sun, 19 Mar 2006 11:08:44 +0100 + +libapache-mod-auth-kerb (4.996-5.0-rc6-3) unstable; urgency=low + + * Fix GSSAPI fails with "Request is a replay" under krb5 1.4.3 + Closes: #340360 + * Updated Policy Version to 3.6.2 + + -- Ghe Rivero Tue, 13 Dec 2005 23:46:06 +0100 + +libapache-mod-auth-kerb (4.996-5.0-rc6-2) unstable; urgency=low + + * Added patch from Andreas Jochens to build on AMD64 arch, Closes: #300810 + * Build depends on dpatch + * Added watch file + * New maintainer (finally) + * Update README file (support on Firefox and Konqueror), Closes: #329180 + + -- Ghe Rivero Thu, 31 Mar 2005 17:54:49 +0200 + +libapache-mod-auth-kerb (4.996-5.0-rc6-1) unstable; urgency=low + + * New upstream version + * Closes: #290676 + + -- Ghe Rivero Fri, 11 Feb 2005 00:50:51 +0100 + +libapache-mod-auth-kerb (4.996-5.0-rc5-2) unstable; urgency=low + + * Added support for apache2 package, Closes: #264231 + + -- Ghe Rivero Mon, 6 Dec 2004 20:45:08 +0100 + +libapache-mod-auth-kerb (4.996-5.0-rc5-1) unstable; urgency=low + + * New maintainer + * New upstream version + + -- Sam Hartman Sat, 5 Jun 2004 19:57:41 -0400 + +libapache-mod-auth-kerb (4.995.0rc4-1.1) unstable; urgency=low + + * Depend on autoconf, Closes: #236946 + * Patch upstream configure.in to not require httpd to be installed; + this patch is hackish but I've sent mail to upstream asking for a + better solution + * Build --without-krb4, Closes: #240326 + + -- Sam Hartman Fri, 26 Mar 2004 15:48:40 -0500 + +libapache-mod-auth-kerb (4.995.0rc4-1) unstable; urgency=low + + * Initial Release. (Closes: #234099) + * This is my first Debian package. + * Almost everithing copied from the auth-pgsql package. + + -- Miguel A. Arevalo Sat, 21 Feb 2004 16:18:14 +0100 + --- libapache-mod-auth-kerb-5.4.orig/debian/libapache2-mod-auth-kerb.dirs +++ libapache-mod-auth-kerb-5.4/debian/libapache2-mod-auth-kerb.dirs @@ -0,0 +1,3 @@ +usr/lib/apache2/modules +usr/share/doc/libapache2-mod-auth-kerb +etc/apache2/mods-available --- libapache-mod-auth-kerb-5.4.orig/debian/copyright +++ libapache-mod-auth-kerb-5.4/debian/copyright @@ -0,0 +1,67 @@ +This package was debianized by Miguel A. Arevalo on +Sat, 21 Feb 2004 16:18:14 +0100. + +It was downloaded from http://modauthkerb.sourceforge.net/ + +Copyright: Daniel Kouril + +License: + +The `Apache Software License' is an Open Source Initiative Approved +License. + +The Apache Software License, Version 1.1 + +Copyright (c) 2000 The Apache Software Foundation. All rights +reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + +3. The end-user documentation included with the redistribution, + if any, must include the following acknowledgment: + "This product includes software developed by the + Apache Software Foundation (http://www.apache.org/)." + Alternately, this acknowledgment may appear in the software itself, + if and wherever such third-party acknowledgments normally appear. + +4. The names "Apache" and "Apache Software Foundation" must + not be used to endorse or promote products derived from this + software without prior written permission. For written + permission, please contact apache@apache.org. + +5. Products derived from this software may not be called "Apache", + nor may "Apache" appear in their name, without prior written + permission of the Apache Software Foundation. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR +ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF +USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT +OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. +==================================================================== + +This software consists of voluntary contributions made by many +individuals on behalf of the Apache Software Foundation. For more +information on the Apache Software Foundation, please see +. + +Portions of this software are based upon public domain software +originally written at the National Center for Supercomputing Applications, +University of Illinois, Urbana-Champaign. --- libapache-mod-auth-kerb-5.4.orig/debian/libapache-mod-auth-kerb.prerm +++ libapache-mod-auth-kerb-5.4/debian/libapache-mod-auth-kerb.prerm @@ -0,0 +1,26 @@ +#!/bin/sh + +set -e + +killconf() { + for i in apache apache-ssl apache-perl; do + if [ -e /etc/$i/httpd.conf ]; then + modules-config $i disable mod_auth_kerb quiet + fi + done +} + +case "$1" in + remove) + killconf + ;; + upgrade | deconfigure | failed-upgrade) + : + ;; + *) echo "$0: didn't understand being called with \`$1'" 1>&2 + exit 1;; +esac + +#DEBHELPER# + +exit 0 --- libapache-mod-auth-kerb-5.4.orig/debian/libapache-mod-auth-kerb.dirs +++ libapache-mod-auth-kerb-5.4/debian/libapache-mod-auth-kerb.dirs @@ -0,0 +1,2 @@ +usr/lib/apache/1.3 +usr/share/doc/libapache-mod-auth-kerb --- libapache-mod-auth-kerb-5.4.orig/debian/patches/auth_to_local.patch +++ libapache-mod-auth-kerb-5.4/debian/patches/auth_to_local.patch @@ -0,0 +1,131 @@ +Index: libapache-mod-auth-kerb-5.3/src/mod_auth_kerb.c +=================================================================== +--- libapache-mod-auth-kerb-5.3.orig/src/mod_auth_kerb.c 2008-05-08 10:30:59.000000000 +0200 ++++ libapache-mod-auth-kerb-5.3/src/mod_auth_kerb.c 2008-05-08 10:31:05.000000000 +0200 +@@ -165,6 +165,7 @@ + char *krb_5_keytab; + int krb_method_gssapi; + int krb_method_k5pass; ++ int krb5_auth_to_local; + #endif + #ifdef KRB4 + char *krb_4_srvtab; +@@ -227,6 +228,9 @@ + + command("KrbMethodK5Passwd", ap_set_flag_slot, krb_method_k5pass, + FLAG, "Enable Kerberos V5 password authentication."), ++ ++ command("Krb5AuthToLocal", ap_set_flag_slot, krb5_auth_to_local, ++ FLAG, "Enable Kerberos V5 auth_to_local mapping."), + #endif + + #ifdef KRB4 +@@ -322,6 +326,7 @@ + #ifdef KRB5 + ((kerb_auth_config *)rec)->krb_method_k5pass = 1; + ((kerb_auth_config *)rec)->krb_method_gssapi = 1; ++ ((kerb_auth_config *)rec)->krb5_auth_to_local = 0; + #endif + #ifdef KRB4 + ((kerb_auth_config *)rec)->krb_method_k4pass = 1; +@@ -746,6 +751,78 @@ + } + + static int ++do_krb5_an_to_ln(request_rec *r, const kerb_auth_config *conf, MK_POOL *p) ++{ ++ const int lname_size = 1024; ++ ++ krb5_context kcontext; ++ krb5_principal princ; ++ krb5_error_code code; ++ char lname[lname_size]; ++ int ret; ++ ++ if (!conf->krb5_auth_to_local) { ++ return OK; ++ } ++ ++ ret = HTTP_INTERNAL_SERVER_ERROR; ++ ++ code = krb5_init_context(&kcontext); ++ if (code) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "Cannot initialize Kerberos5 context (%d)", code); ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } ++ ++ code = krb5_parse_name(kcontext, MK_USER, &princ); ++ if (code) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "krb5_parse_name() failed for name %s: %s", ++ MK_USER, ++ krb5_get_err_text(kcontext, code)); ++ krb5_free_context(kcontext); ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } ++ ++ code = krb5_aname_to_localname(kcontext, princ, sizeof(lname), lname); ++ if (code) { ++ if (code != KRB5_LNAME_NOTRANS) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "krb5_aname_to_localname() failed: %s", ++ krb5_get_err_text(kcontext, code)); ++ /* fall through */ ++ } ++ else { ++ log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, ++ "krb5_aname_to_localname() found no " ++ "mapping for principal %s", ++ MK_USER); ++ /* fall through */ ++ } ++ } ++ else { ++ /* Does this belong in an authz handler? */ ++ if (!krb5_kuserok(kcontext, princ, lname)) { ++ log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, ++ "krb5_kuserok(%s, %s) == false", ++ MK_USER, lname); ++ ret = HTTP_UNAUTHORIZED; ++ } ++ else { ++ log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, ++ "doing auth_to_local: %s -> %s", ++ MK_USER, lname); ++ MK_USER = apr_pstrdup(p, lname); ++ ret = OK; ++ } ++ } ++ krb5_free_principal(kcontext, princ); ++ krb5_free_context(kcontext); ++ ++ return ret; ++} ++ ++static int + krb5_cache_cleanup(void *data) + { + krb5_context context; +@@ -1537,11 +1614,17 @@ + + #ifdef KRB5 + if (use_krb5 && conf->krb_method_gssapi && +- strcasecmp(auth_type, MECH_NEGOTIATE) == 0) { +- ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value); ++ strcasecmp(auth_type, MECH_NEGOTIATE) == 0) { ++ ret = authenticate_user_gss(r, conf, auth_line, &negotiate_ret_value); ++ if (ret == OK) { ++ ret = do_krb5_an_to_ln(r, conf, r->connection->pool); ++ } + } else if (use_krb5 && conf->krb_method_k5pass && +- strcasecmp(auth_type, "Basic") == 0) { +- ret = authenticate_user_krb5pwd(r, conf, auth_line); ++ strcasecmp(auth_type, "Basic") == 0) { ++ ret = authenticate_user_krb5pwd(r, conf, auth_line); ++ if (ret == OK) { ++ ret = do_krb5_an_to_ln(r, conf, r->pool); ++ } + } + #endif + --- libapache-mod-auth-kerb-5.4.orig/debian/patches/gssapi_any.patch +++ libapache-mod-auth-kerb-5.4/debian/patches/gssapi_any.patch @@ -0,0 +1,29 @@ +Index: libapache-mod-auth-kerb-5.3/README +=================================================================== +--- libapache-mod-auth-kerb-5.3.orig/README 2008-05-08 08:25:26.000000000 +0200 ++++ libapache-mod-auth-kerb-5.3/README 2008-05-08 08:26:15.000000000 +0200 +@@ -66,6 +66,8 @@ + is used. The FQDN part can contain any hostname and can be used to work + around problems with misconfigured DNS. A corresponding key of this name + must be stored in the keytab. ++ If this option is set to 'Any', then any prinicpal from the keytab which ++ matches the client's request may be used. + + Krb4Srvtab /path/to/srvtab + This option takes one argument, specifying the path to the Kerberos V4 +Index: libapache-mod-auth-kerb-5.3/src/mod_auth_kerb.c +=================================================================== +--- libapache-mod-auth-kerb-5.3.orig/src/mod_auth_kerb.c 2008-05-08 08:25:26.000000000 +0200 ++++ libapache-mod-auth-kerb-5.3/src/mod_auth_kerb.c 2008-05-08 08:26:15.000000000 +0200 +@@ -1140,7 +1140,10 @@ + have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL; + if (have_server_princ) + strncpy(buf, conf->krb_service_name, sizeof(buf)); +- else ++ else if (conf->krb_service_name && strcmp(conf->krb_service_name, "Any") == 0) { ++ *server_creds = GSS_C_NO_CREDENTIAL; ++ return 0; ++ } else + snprintf(buf, sizeof(buf), "%s@%s", + (conf->krb_service_name) ? conf->krb_service_name : SERVICE_NAME, + ap_get_server_name(r)); --- libapache-mod-auth-kerb-5.4.orig/debian/patches/gssapi_delegation.patch +++ libapache-mod-auth-kerb-5.4/debian/patches/gssapi_delegation.patch @@ -0,0 +1,87 @@ +Index: libapache-mod-auth-kerb-5.3/src/mod_auth_kerb.c +=================================================================== +--- libapache-mod-auth-kerb-5.3.orig/src/mod_auth_kerb.c 2008-05-08 09:31:40.000000000 +0200 ++++ libapache-mod-auth-kerb-5.3/src/mod_auth_kerb.c 2008-05-08 09:37:53.000000000 +0200 +@@ -158,6 +158,7 @@ + const char *krb_service_name; + int krb_authoritative; + int krb_delegate_basic; ++ int krb_append_realm; + #if 0 + int krb_ssl_preauthentication; + #endif +@@ -214,6 +215,9 @@ + command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic, + FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."), + ++ command("KrbAppendRealm", ap_set_flag_slot, krb_append_realm, ++ FLAG, "Append the realm name when setting $REMOTE_USER."), ++ + #if 0 + command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication, + FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."), +@@ -320,6 +324,7 @@ + ((kerb_auth_config *)rec)->krb_service_name = NULL; + ((kerb_auth_config *)rec)->krb_authoritative = 1; + ((kerb_auth_config *)rec)->krb_delegate_basic = 0; ++ ((kerb_auth_config *)rec)->krb_append_realm = 1; + #if 0 + ((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0; + #endif +@@ -519,7 +524,8 @@ + user = apr_pstrdup(r->pool, sent_name); + if (sent_instance) + user = apr_pstrcat(r->pool, user, ".", sent_instance, NULL); +- user = apr_pstrcat(r->pool, user, "@", realm, NULL); ++ if (conf->krb_append_realm) ++ user = apr_pstrcat(r->pool, user, "@", realm, NULL); + + MK_USER = user; + MK_AUTH_TYPE = "Basic"; +@@ -1087,6 +1093,9 @@ + MK_AUTH_TYPE = "Basic"; + free(name); + ++ if (!conf->krb_append_realm && (name = strchr(MK_USER, '@'))) ++ *name = '\0'; ++ + if (conf->krb_save_credentials) + store_krb5_creds(kcontext, r, conf, ccache); + +@@ -1338,6 +1347,8 @@ + gss_OID_desc spnego_oid; + gss_ctx_id_t context = GSS_C_NO_CONTEXT; + gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL; ++ OM_uint32 tmp_flags; ++ char *name = NULL; + + *negotiate_ret_value = "\0"; + +@@ -1406,7 +1417,7 @@ + &client_name, + NULL, + &output_token, +- NULL, ++ &tmp_flags, + NULL, + &delegated_cred); + log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, +@@ -1471,6 +1482,9 @@ + MK_AUTH_TYPE = MECH_NEGOTIATE; + MK_USER = apr_pstrdup(r->pool, output_token.value); + ++ if (!conf->krb_append_realm && (name = strchr(MK_USER, '@'))) ++ *name = '\0'; ++ + if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL) + store_gss_creds(r, conf, (char *)output_token.value, delegated_cred); + +@@ -1504,7 +1518,7 @@ + if (ap_is_initial_req(r) || MK_AUTH_TYPE == NULL) + return 0; + if (strcmp(MK_AUTH_TYPE, MECH_NEGOTIATE) || +- (strcmp(MK_AUTH_TYPE, "Basic") && strchr(MK_USER, '@'))) ++ (strcmp(MK_AUTH_TYPE, "Basic") && MK_USER != NULL)) + return 1; + return 0; + } --- libapache-mod-auth-kerb-5.4.orig/debian/patches/series +++ libapache-mod-auth-kerb-5.4/debian/patches/series @@ -0,0 +1,2 @@ +amd64.patch +remove_bashism.patch --- libapache-mod-auth-kerb-5.4.orig/debian/patches/remove_bashism.patch +++ libapache-mod-auth-kerb-5.4/debian/patches/remove_bashism.patch @@ -0,0 +1,21 @@ +Index: libapache-mod-auth-kerb-5.4/Makefile.in +=================================================================== +--- libapache-mod-auth-kerb-5.4.orig/Makefile.in 2008-12-02 15:07:10.000000000 +0100 ++++ libapache-mod-auth-kerb-5.4/Makefile.in 2010-03-15 09:06:11.000000000 +0100 +@@ -20,9 +20,15 @@ + + clean: + for i in . src spnegokrb5; do \ +- $(RM) $$i/*.{o,so,a,la,lo,slo} core; \ ++ $(RM) $$i/*.o; \ ++ $(RM) $$i/*.so; \ ++ $(RM) $$i/*.a; \ ++ $(RM) $$i/*.la; \ ++ $(RM) $$i/*.lo; \ ++ $(RM) $$i/*.slo; \ + $(RM) -rf $$i/.libs; \ + done ++ $(RM) core + + distclean: clean + $(RM) config.h config.status Makefile config.log --- libapache-mod-auth-kerb-5.4.orig/debian/patches/amd64.patch +++ libapache-mod-auth-kerb-5.4/debian/patches/amd64.patch @@ -0,0 +1,12 @@ +Index: libapache-mod-auth-kerb-5.3/spnegokrb5/spnego_asn1.h +=================================================================== +--- libapache-mod-auth-kerb-5.3.orig/spnegokrb5/spnego_asn1.h 2008-05-08 08:25:26.000000000 +0200 ++++ libapache-mod-auth-kerb-5.3/spnegokrb5/spnego_asn1.h 2008-05-08 08:25:51.000000000 +0200 +@@ -100,7 +100,6 @@ + int copy_ContextFlags (const ContextFlags *, ContextFlags *); + unsigned ContextFlags2int(ContextFlags); + ContextFlags int2ContextFlags(unsigned); +-extern struct units ContextFlags_units[]; + + /* + NegTokenInit ::= SEQUENCE {