GSS Masquerade: mod_auth_kerb

Mon Mar 17 16:16:47 EDT 2008

Here's a patch that gives an example for masquerading.  Apache 
authenticates the user, caches the user's ticket, then moves to a new 
session keyring.  Then, it creates the desired nfsid key on this keyring.

Its very important to cleanup after the request completes, so 
nfsidcleanup is registered to clear the current session keyring, and 
migrate back to a default apache session keyring.

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index 6b54a58..a900911 100644
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -49,6 +49,7 @@
  #include <stdlib.h>
  #include <stdio.h>
  #include <stdarg.h>
+#include <keyutils.h>

  #define MODAUTHKERB_VERSION "5.3"

@@ -773,6 +774,17 @@ krb5_cache_cleanup(void *data)
  }

  static int
+nfsidcleanup(void *data)
+{
+       key_serial_t u_keyring = (key_serial_t) data;
+       int res;
+
+       keyctl(KEYCTL_CLEAR, u_keyring);
+       res = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "_ses.apache");
+       return OK;
+}
+
+static int
  create_krb5_ccache(krb5_context kcontext,
                    request_rec *r,
                    kerb_auth_config *conf,
@@ -784,9 +796,16 @@ create_krb5_ccache(krb5_context kcontext,
     krb5_error_code problem;
     int ret;
     krb5_ccache tmp_ccache = NULL;
-
-   ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_apache_XXXXXX", 
P_tmpdir);
-   fd = mkstemp(ccname + strlen("FILE:"));
+   char *user;
+   apr_uid_t kuid, kgid, duid;
+   key_serial_t s_keyring, u_keyring, key;
+
+   user = apr_pstrndup(r->pool, MK_USER,
+        strchr(MK_USER, '@') - MK_USER);
+   apr_uid_get(&kuid, &kgid, user, r->pool);
+   apr_uid_current(&duid, &kgid, r->pool);
+   ccname = apr_psprintf(r->pool, "FILE:%s/krb5cc_%d", P_tmpdir, kuid);
+   fd = open(ccname + strlen("FILE:"), O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR);
     if (fd < 0) {
        log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                   "mkstemp() failed: %s", strerror(errno));
@@ -818,6 +837,22 @@ create_krb5_ccache(krb5_context kcontext,
     apr_pool_cleanup_register(r->pool, ccname, krb5_cache_cleanup,
                              apr_pool_cleanup_null);

+   log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+               "current session keyring %d", keyctl(KEYCTL_GET_KEYRING_ID,
+               -5, 0));
+
+   /* create or join user's session keyring */
+   u_keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, MK_USER);
+   log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+               "joined session keyring %d", u_keyring);
+
+   key = add_key("nfsid", "nfsid", &kuid, sizeof(&kuid), u_keyring);
+   log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+               "created key %d", key);
+
+   apr_pool_cleanup_register(r->pool, &u_keyring, nfsidcleanup,
+       apr_pool_cleanup_null);
+
     *ccache = tmp_ccache;
     tmp_ccache = NULL;

