diff options
author | Thibaut Notteboom <tib@tibux.org> | 2013-02-10 01:36:50 -0600 |
---|---|---|
committer | Erik Hanson <erik@slackbuilds.org> | 2013-02-14 00:26:35 -0600 |
commit | 7f2f69966e97765c8fd54a70a29e8cafe006028e (patch) | |
tree | 9d04f00e3135ad7522e12062c6e5e86ad535e75f /network/mod_auth_kerb | |
parent | c2b1f1137e757b3a3f21e7c6dda333b058e84e85 (diff) | |
download | slackbuilds-7f2f69966e97765c8fd54a70a29e8cafe006028e.tar.gz |
network/mod_auth_kerb: Added (Kerberos Module for Apache)
Signed-off-by: Robby Workman <rworkman@slackbuilds.org>
Diffstat (limited to 'network/mod_auth_kerb')
-rw-r--r-- | network/mod_auth_kerb/README | 13 | ||||
-rw-r--r-- | network/mod_auth_kerb/doinst.sh | 16 | ||||
-rw-r--r-- | network/mod_auth_kerb/mod_auth_kerb.SlackBuild | 105 | ||||
-rw-r--r-- | network/mod_auth_kerb/mod_auth_kerb.c.patch | 71 | ||||
-rw-r--r-- | network/mod_auth_kerb/mod_auth_kerb.conf | 27 | ||||
-rw-r--r-- | network/mod_auth_kerb/mod_auth_kerb.info | 10 | ||||
-rw-r--r-- | network/mod_auth_kerb/slack-desc | 18 |
7 files changed, 260 insertions, 0 deletions
diff --git a/network/mod_auth_kerb/README b/network/mod_auth_kerb/README new file mode 100644 index 0000000000..4a610644df --- /dev/null +++ b/network/mod_auth_kerb/README @@ -0,0 +1,13 @@ +Mod_auth_kerb is an Apache module designed to provide Kerberos +authentication to the Apache web server. The module also supports +the Negotiate authentication method, which performs full Kerberos +authentication based on ticket exchanges, and does not require +users to insert their passwords to the browser. + +This requires heimdal. + +You will need to add the following line to /etc/httpd/httpd.conf: + Include /etc/httpd/extra/mod_auth_kerb.conf + +Mod_auth_kerb can be further configured through the Apache configuration +file; see the README in the package's documentation directory for details. diff --git a/network/mod_auth_kerb/doinst.sh b/network/mod_auth_kerb/doinst.sh new file mode 100644 index 0000000000..114a9cd4bc --- /dev/null +++ b/network/mod_auth_kerb/doinst.sh @@ -0,0 +1,16 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +config etc/httpd/extra/mod_auth_kerb.conf.new + + diff --git a/network/mod_auth_kerb/mod_auth_kerb.SlackBuild b/network/mod_auth_kerb/mod_auth_kerb.SlackBuild new file mode 100644 index 0000000000..b9acd5baaf --- /dev/null +++ b/network/mod_auth_kerb/mod_auth_kerb.SlackBuild @@ -0,0 +1,105 @@ +#!/bin/sh + +# Slackware build script for mod_auth_kerb + +# Copyright 2012-2013 Thibaut Notteboom, Paris, FRANCE +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PRGNAM=mod_auth_kerb +VERSION=${VERSION:-5.4} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i486 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +patch -p0 < $CWD/mod_auth_kerb.c.patch + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --with-krb5=/usr/heimdal \ + --without-krb4 \ + --build=$ARCH-slackware-linux + +make + +mkdir -p $PKG/usr/lib${LIBDIRSUFFIX}/httpd/modules +install -m 755 src/.libs/mod_auth_kerb.so $PKG/usr/lib${LIBDIRSUFFIX}/httpd/modules/mod_auth_kerb.so + +mkdir -p $PKG/etc/httpd/extra +sed "s%@baselibdir@%lib${LIBDIRSUFFIX}%" $CWD/mod_auth_kerb.conf > \ + $PKG/etc/httpd/extra/mod_auth_kerb.conf.new + +find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a ChangeLog INSTALL LICENSE README $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} + + diff --git a/network/mod_auth_kerb/mod_auth_kerb.c.patch b/network/mod_auth_kerb/mod_auth_kerb.c.patch new file mode 100644 index 0000000000..cc466fd605 --- /dev/null +++ b/network/mod_auth_kerb/mod_auth_kerb.c.patch @@ -0,0 +1,71 @@ +--- src/mod_auth_kerb.c.orig 2012-06-24 19:10:03.578437625 +0200 ++++ src/mod_auth_kerb.c 2012-06-24 19:12:42.043441805 +0200 +@@ -89,6 +89,7 @@ + #include <krb5.h> + #ifdef HEIMDAL + # include <gssapi.h> ++# include <gssapi/gssapi_krb5.h> + #else + # include <gssapi/gssapi.h> + # include <gssapi/gssapi_generic.h> +@@ -179,6 +179,16 @@ static apr_global_mutex_t *s4u2proxy_loc + #define PROXYREQ_PROXY STD_PROXY + #endif + ++#if MODULE_MAGIC_NUMBER_MAJOR >= 20100606 ++/* 2.4.x or later */ ++#define WITH_HTTPD24 1 ++#define client_ip(r) ((r)->useragent_ip) ++APLOG_USE_MODULE(auth_kerb); ++#else ++#define client_ip(r) ((r)->connection->remote_ip) ++#endif ++ ++ + /*************************************************************************** + Auth Configuration Structure + ***************************************************************************/ +@@ -383,7 +393,11 @@ cmd_delegationlock(cmd_parms *cmd, void + } + + static void +-log_rerror(const char *file, int line, int level, int status, ++log_rerror(const char *file, int line, ++#ifdef WITH_HTTPD24 ++ int module_index, ++#endif ++ int level, int status, + const request_rec *r, const char *fmt, ...) + { + char errstr[1024]; +@@ -394,7 +408,9 @@ log_rerror(const char *file, int line, i + va_end(ap); + + +-#ifdef STANDARD20_MODULE_STUFF ++#if defined(WITH_HTTPD24) ++ ap_log_rerror(file, line, module_index, level, status, r, "%s", errstr); ++#elif defined(STANDARD20_MODULE_STUFF) + ap_log_rerror(file, line, level | APLOG_NOERRNO, status, r, "%s", errstr); + #else + ap_log_rerror(file, line, level | APLOG_NOERRNO, r, "%s", errstr); +@@ -1860,8 +1876,8 @@ already_succeeded(request_rec *r, char * + char keyname[1024]; + + snprintf(keyname, sizeof(keyname) - 1, +- "mod_auth_kerb::connection::%s::%ld", r->connection->remote_ip, +- r->connection->id); ++ "mod_auth_kerb::connection::%s::%ld", client_ip(r), ++ r->connection->id); + + if (apr_pool_userdata_get((void**)&conn_data, keyname, r->connection->pool) != 0) + return NULL; +@@ -2014,7 +2030,7 @@ kerb_authenticate_user(request_rec *r) + prevauth->last_return = ret; + snprintf(keyname, sizeof(keyname) - 1, + "mod_auth_kerb::connection::%s::%ld", +- r->connection->remote_ip, r->connection->id); ++ client_ip(r), r->connection->id); + apr_pool_userdata_set(prevauth, keyname, NULL, r->connection->pool); + } + diff --git a/network/mod_auth_kerb/mod_auth_kerb.conf b/network/mod_auth_kerb/mod_auth_kerb.conf new file mode 100644 index 0000000000..a75e692bb6 --- /dev/null +++ b/network/mod_auth_kerb/mod_auth_kerb.conf @@ -0,0 +1,27 @@ + +# The mod_auth_kerb module implements Kerberos authentication over +# HTTP, following the "Negotiate" protocol. +# + +LoadModule auth_kerb_module @baselibdir@/httpd/modules/mod_auth_kerb.so + +# +# Sample configuration: Kerberos authentication must only be +# used over SSL to prevent replay attacks. The keytab file +# configured must be readable only by the "apache" user, and +# must contain service keys for "HTTP/www.example.com", where +# "www.example.com" is the FQDN of this server. +# + +#<Location /private> +# SSLRequireSSL +# AuthType Kerberos +# AuthName "Kerberos Login" +# KrbMethodNegotiate On +# KrbMethodK5Passwd Off +# KrbAuthRealms EXAMPLE.COM +# Krb5KeyTab /etc/httpd/krb5.keytab +# require valid-user +#</Location> + + diff --git a/network/mod_auth_kerb/mod_auth_kerb.info b/network/mod_auth_kerb/mod_auth_kerb.info new file mode 100644 index 0000000000..6856e6c854 --- /dev/null +++ b/network/mod_auth_kerb/mod_auth_kerb.info @@ -0,0 +1,10 @@ +PRGNAM="mod_auth_kerb" +VERSION="5.4" +HOMEPAGE="http://modauthkerb.sourceforge.net/" +DOWNLOAD="http://fossies.org/unix/www/apache_httpd_modules/mod_auth_kerb-5.4.tar.gz" +MD5SUM="642b81763ad3ca81dba359cb952da5e3" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +REQUIRES="heimdal" +MAINTAINER="Thibaut Notteboom" +EMAIL="tib@tibux.org" diff --git a/network/mod_auth_kerb/slack-desc b/network/mod_auth_kerb/slack-desc new file mode 100644 index 0000000000..460d607a2f --- /dev/null +++ b/network/mod_auth_kerb/slack-desc @@ -0,0 +1,18 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +mod_auth_kerb: mod_auth_kerb (Kerberos Module for Apache) +mod_auth_kerb: +mod_auth_kerb: Mod_auth_kerb is an Apache module designed to provide Kerberos +mod_auth_kerb: authentication to the Apache web server. The module also supports +mod_auth_kerb: the Negotiate authentication method, which performs full Kerberos +mod_auth_kerb: authentication based on ticket exchanges, and does not require +mod_auth_kerb: users to insert their passwords to the browser. +mod_auth_kerb: +mod_auth_kerb: Homepage: http://modauthkerb.sourceforge.net/ +mod_auth_kerb: |