diff options
author | green <green@FreeBSD.org> | 2005-10-14 22:55:59 +0000 |
---|---|---|
committer | green <green@FreeBSD.org> | 2005-10-14 22:55:59 +0000 |
commit | 1098126a8754760e4c2932140b519df4fcd0e57e (patch) | |
tree | 3f26193bdf83d82ecfe6f6fd5091df72516acea4 /www/mod_auth_kerb2 | |
parent | 36570f0fad27a5523568e01249b8960b5161b786 (diff) | |
download | FreeBSD-ports-1098126a8754760e4c2932140b519df4fcd0e57e.zip FreeBSD-ports-1098126a8754760e4c2932140b519df4fcd0e57e.tar.gz |
* Allow for compilation to optionally use the MIT Kerberos 5 port like
now, but default to the base system's Heimdal.
* Use existing API to tell Heimdal's libkrb5 where the keytab is, rather
than exporting an environment variable (which is what must be done for
MIT's, apparently) -- this unbreak's specification of the keytab
location in httpd.conf.
* Rewrite the description to be far more accurate: no mention was made
of this module doing real SPNEGO/GSSAPI/Kerberos (as opposed to
"Kerberos password gateway") authentication.
* Bump PORTREVISION.
Approved by: MAINTAINER
PR: ports/86963
Diffstat (limited to 'www/mod_auth_kerb2')
-rw-r--r-- | www/mod_auth_kerb2/Makefile | 35 | ||||
-rw-r--r-- | www/mod_auth_kerb2/files/patch-src__mod_auth_kerb.c | 25 | ||||
-rw-r--r-- | www/mod_auth_kerb2/pkg-descr | 23 | ||||
-rw-r--r-- | www/mod_auth_kerb2/pkg-plist | 2 |
4 files changed, 63 insertions, 22 deletions
diff --git a/www/mod_auth_kerb2/Makefile b/www/mod_auth_kerb2/Makefile index 909f016..a2f48ca 100644 --- a/www/mod_auth_kerb2/Makefile +++ b/www/mod_auth_kerb2/Makefile @@ -9,10 +9,12 @@ PORTNAME= mod_auth_kerb PORTVERSION= 5.0.r6 -DISTNAME= mod_auth_kerb-5.0-rc6 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR=modauthkerb +DISTNAME= mod_auth_kerb-5.0-rc6 + MAINTAINER= apache@FreeBSD.org COMMENT= An Apache module for authenticating users with Kerberos v5 @@ -22,16 +24,31 @@ COMMENT= An Apache module for authenticating users with Kerberos v5 # (i.e., HTTP over SSL/TLS). Thus, we require as a dependency # a version of Apache which can do this. # -LIB_DEPENDS= krb5.3:${PORTSDIR}/security/krb5 - USE_APACHE= yes - -KRB5_HOME?= ${LOCALBASE} - # Don't fsck with CFLAGS CFLAGS:= - GNU_CONFIGURE= yes CONFIGURE_ARGS+=--with-krb5=${KRB5_HOME} --without-krb4 - -.include <bsd.port.mk> +OPTIONS+= BASE_KERBEROS5 "Use the base Kerberos 5 (Heimdal)" +.if exists(/usr/lib/libkrb5.so) +OPTIONS+= on +.else +OPTIONS+= off +.endif + +.include <bsd.port.pre.mk> + +.if exists(${PREFIX}/sbin/apxs) +APACHE_MODULE_DIR!=${PREFIX}/sbin/apxs -q LIBEXECDIR +.else +APACHE_MODULE_DIR=libexec/apache +.endif +PLIST_SUB+= APMODDIR=${APACHE_MODULE_DIR:S/^${PREFIX}\///} +.if defined(WITH_BASE_KERBEROS5) +KRB5_HOME= /usr +.else +LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5 +KRB5_HOME= ${LOCALBASE} +.endif + +.include <bsd.port.post.mk> diff --git a/www/mod_auth_kerb2/files/patch-src__mod_auth_kerb.c b/www/mod_auth_kerb2/files/patch-src__mod_auth_kerb.c new file mode 100644 index 0000000..7c25d1a --- /dev/null +++ b/www/mod_auth_kerb2/files/patch-src__mod_auth_kerb.c @@ -0,0 +1,25 @@ +--- src/mod_auth_kerb.c.orig Tue Aug 10 08:01:01 2004 ++++ src/mod_auth_kerb.c Wed Oct 5 20:25:38 2005 +@@ -1108,6 +1108,7 @@ + spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02"; + + if (conf->krb_5_keytab) { ++#ifndef HEIMDAL + char *ktname; + /* we don't use the ap_* calls here, since the string passed to putenv() + * will become part of the enviroment and shouldn't be free()ed by apache +@@ -1120,6 +1121,14 @@ + } + sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab); + putenv(ktname); ++#else ++ ret = gsskrb5_register_acceptor_identity(conf->krb_5_keytab); ++ if (ret) { ++ log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Setting KerberosV keytab failed: %s", strerror(errno)); ++ ret = HTTP_INTERNAL_SERVER_ERROR; ++ goto end; ++ } ++#endif + } + + ret = get_gss_creds(r, conf, &server_creds); diff --git a/www/mod_auth_kerb2/pkg-descr b/www/mod_auth_kerb2/pkg-descr index 4dbb5e1..18a501b 100644 --- a/www/mod_auth_kerb2/pkg-descr +++ b/www/mod_auth_kerb2/pkg-descr @@ -1,14 +1,13 @@ -mod_auth_kerb is an Apache module for authenticating Web clients -in a Kerberos v5 realm. Because the Kerberos password is transmitted -in plain text, this module MUST be used in conjunction with an -encryption-capable Web server (by default, apache13-modssl). There is -no documentation provided; see the Web site for more details. This -package is built with the KRB5_VERIFY_TICKET and KRB5_SAVE_CREDENTIALS -options, and *without* Kerberos v4 support. In order to successfully -authenticate users, the Web server will need a keytab file containing -a key for the principal `www/my.host.name.example@MY.REALM.EXAMPLE' -which is readable only by the user Apache runs as; the location of this -keytab defaults to ${LOCALBASE}/etc/apache/keytab but can be modified -in the server configuration. +mod_auth_kerb is an Apache module for authenticating Web clients in a +Kerberos v5 realm. Authentication may be performed via the Kerberos +principal/password; it may also be done securely using SPNEGO (HTTP +Negotiate auth protocol) to perform a GSSAPI/Kerberos authentication +from the user's browser and Kerberos credentials directly to the server +Kerberos credentials 'HTTP/host@REALM'. Because the Kerberos password is +transmitted in plain text in the former mode, when using mod_auth_kerb +for naive HTTP Basic (password-based) authentication, this module +MUST be used in conjunction with an encryption-capable Web server +(e.g. Apache) to keep that exchange private. There is no documentation +provided; see the Web site for more details. WWW: http://modauthkerb.sourceforge.net/ diff --git a/www/mod_auth_kerb2/pkg-plist b/www/mod_auth_kerb2/pkg-plist index 9c53a96..e10a6259 100644 --- a/www/mod_auth_kerb2/pkg-plist +++ b/www/mod_auth_kerb2/pkg-plist @@ -1,3 +1,3 @@ -libexec/apache/mod_auth_kerb.so +%%APMODDIR%%/mod_auth_kerb.so @exec %D/sbin/apxs -e -A -n auth_kerb %D/%F @unexec %D/sbin/apxs -e -A -n auth_kerb %D/%F |