Debian Bug report logs - #340360
libapache2-mod-auth-kerb: GSSAPI fails with "Request is a replay" under krb5 1.4.3

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@stanford.edu>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libapache2-mod-auth-kerb: GSSAPI fails with "Request is a replay" under krb5 1.4.3

Date: Tue, 22 Nov 2005 16:08:15 -0800

Package: libapache2-mod-auth-kerb
Version: 4.996-5.0-rc6-1
Severity: important

krb5 1.4.3 has just been uploaded to experimental and will hopefully be
uploaded to unstable soon.  In testing it, I found that mod_auth_kerb
(at least with Apache 2 -- I haven't tested with Apache 1) doesn't work
correctly with 1.4.3 when doing GSSAPI authentication.  The attempted
web page access hangs from the perspective of the browser, and Apache
repeatedly logs the following:

[Tue Nov 22 16:04:42 2005] [debug] src/mod_auth_kerb.c(1322): [client 171.64.19. 147] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Nov 22 16:04:42 2005] [debug] src/mod_auth_kerb.c(1023): [client 171.64.19. 147] Acquiring creds for HTTP/windlord.stanford.edu@stanford.edu
[Tue Nov 22 16:04:42 2005] [debug] src/mod_auth_kerb.c(1152): [client 171.64.19. 147] Verifying client data using KRB5 GSS-API
[Tue Nov 22 16:04:42 2005] [debug] src/mod_auth_kerb.c(1168): [client 171.64.19. 147] Verification returned code 851968
[Tue Nov 22 16:04:42 2005] [error] [client 171.64.19.147] gss_accept_sec_context() failed: Miscellaneous failure (Request is a replay)

Those log messages repeat until I press stop in the browser.  Downgrading
the libraries to 1.3 causes the module to start working again.

My guess is that mod_auth_kerb is violating some assumption made in the
Kerberos libraries, but I've not had a chance to investigate more completely
yet.  I hope to over the next few days.  I'd like to get this fixed before
1.4.3 goes into unstable, for obvious reasons. 

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)

Versions of packages libapache2-mod-auth-kerb depends on:
ii  apache2-common                2.0.54-5   next generation, scalable, extenda
ii  krb5-config                   1.8        Configuration files for Kerberos V
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an
ii  libcomerr2                    1.38-2     common error description library
ii  libkrb53                      1.3.6-5    MIT Kerberos runtime libraries

libapache2-mod-auth-kerb recommends no packages.

-- no debconf information

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Russ Allbery <rra@stanford.edu>

Cc: 340360@bugs.debian.org, Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#340360: libapache2-mod-auth-kerb: GSSAPI fails with "Request is a replay" under krb5 1.4.3

Date: Tue, 22 Nov 2005 20:38:47 -0500

Be aware that there is special code to try and disable the replay
cache in mod-auth-kerb; it may interact badly with changes in krb5.

Message #20 received at 340360@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Sam Hartman <hartmans@debian.org>

Cc: 340360@bugs.debian.org

Subject: Re: Bug#340360: libapache2-mod-auth-kerb: GSSAPI fails with "Request is a replay" under krb5 1.4.3

Date: Tue, 22 Nov 2005 19:01:35 -0800

Sam Hartman <hartmans@debian.org> writes:

> Be aware that there is special code to try and disable the replay
> cache in mod-auth-kerb; it may interact badly with changes in krb5.

I must say that it's tempting to just set KRB5RCACHETYPE to "none".  Alas,
that's probably a bad idea in an Apache module due to the annoying global
and inherited nature of environment variables.

It would be nice to have some way of passing that kind of setting into the
library.  As near as I can tell, there isn't one; am I overlooking some
convenient API?

The special code to disable the replay cache is extremely ugly and
intrusive and won't even compile against krb5 1.4.3, so I'm sure that's
what broke.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #25 received at 340360@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Russ Allbery <rra@debian.org>

Cc: 340360@bugs.debian.org, Sam Hartman <hartmans@debian.org>

Subject: Re: Bug#340360: libapache2-mod-auth-kerb: GSSAPI fails with "Request is a replay" under krb5 1.4.3

Date: Tue, 22 Nov 2005 19:12:32 -0800

Russ Allbery <rra@debian.org> writes:

> The special code to disable the replay cache is extremely ugly and
> intrusive and won't even compile against krb5 1.4.3, so I'm sure that's
> what broke.

I take that back; once Bug#300810 is fixed, the package does build fine
against 1.4.3.  However, that doesn't fix the problem.

I'm going to try a few things and see if I can get the intrusive code to
work.  I think it's currently a bit too complicated and there's a simpler
way to get the results that it's going for.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #30 received at 340360@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: 340360@bugs.debian.org

Subject: Re: Bug#340360: libapache2-mod-auth-kerb: GSSAPI fails with "Request is a replay" under krb5 1.4.3

Date: Tue, 22 Nov 2005 19:45:59 -0800

Russ Allbery <rra@debian.org> writes:

> I'm going to try a few things and see if I can get the intrusive code to
> work.  I think it's currently a bit too complicated and there's a
> simpler way to get the results that it's going for.

Okay, the first problem is that the definition of krb5_rc_ops has changed
in 1.4.3 to add an additional callback.  That's easily fixable.  However,
this is a serious problem:

/* Definitions from MIT krb5-1.3.3 gssapiP_krb5.h */
typedef struct _krb5_gss_cred_id_rec {
   /* name/type of credential */
   gss_cred_usage_t usage;
   krb5_principal princ;        /* this is not interned as a gss_name_t */
   int prerfc_mech;
   int rfc_mech;

   /* keytab (accept) data */
   krb5_keytab keytab;
   krb5_rcache_internal rcache;
        
   /* ccache (init) data */
   krb5_ccache ccache;
   krb5_timestamp tgt_expire;
   krb5_enctype *req_enctypes;  /* limit negotiated enctypes to this list */
} krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;

1.4.3 adds a k5_mutex_t variable as the *first* element of this struct.
The size of a k5_mutex_t appears to depend on a large set of the contents
of k5-thread.h, which depends on a ton of platform-specific discovery from
Autoconf.  Duplicating all of that looks extremely unappealing.

This struct definition is currently necessary in order to find the rcache
member and replace its pointer.  Right now, it replaces it with a custom
constructed krb5_rc_ops struct that replaces the store function with a
no-op; with 1.4.3, it could just use krb5_rc_none_ops.  But that doesn't
help if we can't get into the bowels of GSSAPI to replace it.

I don't see a good solution down the path of selectively fiddling with
krb5 internals.  It looks to me like the environment variable, as ugly as
that might be, may be the best solution for right now.

I've confirmed that setting KRB5RCACHETYPE to none and disabling the
current code hack does fix the problem, and interestingly doesn't appear
to pass the environment variable on to CGI child processes.  So there is
that at least.  It will affect all other uses of Kerberos in Apache,
though, most likely.

Regardless, a new libapache-mod-auth-kerb package will be needed when we
push 1.4.3 into unstable, and the 1.4.3 package should probably conflict
with the existing mod-auth-kerb packages since they rely on internal
library details that have significantly changed.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #35 received at 340360@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: 340360@bugs.debian.org

Subject: Re: Bug#340360: libapache2-mod-auth-kerb: GSSAPI fails with "Request is a replay" under krb5 1.4.3

Date: Tue, 22 Nov 2005 20:19:51 -0800

tags 340360 patch
thanks

Here's a tested patch that works with 1.4.3.  Note that it won't work with
earlier versions of Kerberos since the "none" rcache type is new in 1.4 so
far as I can tell.

A possibly better solution would be to keep the old code but make it
conditional on the version of Kerberos used, but I'm not quite sure how to
do that.  I'm not sure that MIT Kerberos provides an easy way to do that
or to detect whether the rcache type of "none" is supported.

--- libapache-mod-auth-kerb-4.996-5.0-rc6/src/mod_auth_kerb.c	2004-08-10 05:01:01.000000000 -0700
+++ libapache-mod-auth-kerb-4.996-5.0-rc6.fixed/src/mod_auth_kerb.c	2005-11-22 19:49:06.000000000 -0800
@@ -195,34 +195,6 @@
    { NULL }
 };
 
-#if defined(KRB5) && !defined(HEIMDAL)
-/* Needed to work around problems with replay caches */
-#include "mit-internals.h"
-
-/* This is our replacement krb5_rc_store function */
-static krb5_error_code
-mod_auth_kerb_rc_store(krb5_context context, krb5_rcache rcache,
-                       krb5_donot_replay_internal *donot_replay)
-{
-   return 0;
-}
-
-/* And this is the operations vector for our replay cache */
-const krb5_rc_ops_internal mod_auth_kerb_rc_ops = {
-  0,
-  "dfl",
-  krb5_rc_dfl_init,
-  krb5_rc_dfl_recover,
-  krb5_rc_dfl_destroy,
-  krb5_rc_dfl_close,
-  mod_auth_kerb_rc_store,
-  krb5_rc_dfl_expunge,
-  krb5_rc_dfl_get_span,
-  krb5_rc_dfl_get_name,
-  krb5_rc_dfl_resolve
-};
-#endif
-
 
 /*************************************************************************** 
  Auth Configuration Initialization
@@ -993,6 +965,12 @@
    gss_name_t server_name = GSS_C_NO_NAME;
    char buf[1024];
 
+#ifndef HEIMDAL
+   /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later. */
+   if (getenv("KRB5RCACHETYPE") == NULL)
+       putenv("KRB5RCACHETYPE=none");
+#endif
+
    snprintf(buf, sizeof(buf), "%s@%s", conf->krb_service_name,
 	    ap_get_server_name(r));
 
@@ -1035,27 +1013,6 @@
       return HTTP_INTERNAL_SERVER_ERROR;
    }
 
-#ifndef HEIMDAL
-   /*
-    * With MIT Kerberos 5 1.3.x the gss_cred_id_t is the same as
-    * krb5_gss_cred_id_t and krb5_gss_cred_id_rec contains a pointer to
-    * the replay cache.
-    * This allows us to override the replay cache function vector with
-    * our own one.
-    * Note that this is a dirty hack to get things working and there may
-    * well be unknown side-effects.
-    */
-   {
-      krb5_gss_cred_id_t gss_creds = (krb5_gss_cred_id_t) *server_creds;
-
-      if (gss_creds && gss_creds->rcache && gss_creds->rcache->ops &&
-	  gss_creds->rcache->ops->type &&  
-	  memcmp(gss_creds->rcache->ops->type, "dfl", 3) == 0)
-          /* Override the rcache operations */
-	 gss_creds->rcache->ops = &mod_auth_kerb_rc_ops;
-   }
-#endif
-   
    return 0;
 }
 
-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #40 received at 340360@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: Russ Allbery <rra@debian.org>

Cc: 340360@bugs.debian.org

Subject: Re: Bug#340360: libapache2-mod-auth-kerb: GSSAPI fails with "Request is a replay" under krb5 1.4.3

Date: Tue, 22 Nov 2005 23:24:39 -0500

>>>>> "Russ" == Russ Allbery <rra@debian.org> writes:

    Russ> Sam Hartman <hartmans@debian.org> writes:
    >> Be aware that there is special code to try and disable the
    >> replay cache in mod-auth-kerb; it may interact badly with
    >> changes in krb5.

    Russ> I must say that it's tempting to just set KRB5RCACHETYPE to
    Russ> "none".  Alas, that's probably a bad idea in an Apache
    Russ> module due to the annoying global and inherited nature of
    Russ> environment variables.

I would be very tempted to just do that.

Message #47 received at 340360@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: 340360@bugs.debian.org

Cc: hartmans@debian.org

Subject: Needs fix for MIT Kerberos 1.4

Date: Wed, 30 Nov 2005 14:48:54 -0800

severity 340360 grave
thanks

We're about to upload MIT Kerberos 1.4.3 to unstable, which will break at
least the SPNEGO GSSAPI support of this module in a nasty fashion due to
its use of undocumented internals of the Kerberos libraries that have
changed.  The new upload will conflict with the current version to give
people some warning and keep from creating a module that just loops, but a
new version should be uploaded with the patch in this bug or some other
fix.

Please let me know if you need a sponsor or other help in preparing an
upload.

Thanks!

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #56 received at 340360-close@bugs.debian.org (full text, mbox, reply):

From: Ghe Rivero <ghe@upsa.es>

To: 340360-close@bugs.debian.org

Subject: Bug#340360: fixed in libapache-mod-auth-kerb 4.996-5.0-rc6-3

Date: Wed, 14 Dec 2005 14:21:54 -0800

Source: libapache-mod-auth-kerb
Source-Version: 4.996-5.0-rc6-3

We believe that the bug you reported is fixed in the latest version of
libapache-mod-auth-kerb, which is due to be installed in the Debian FTP archive:

libapache-mod-auth-kerb_4.996-5.0-rc6-3.diff.gz
  to pool/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-3.diff.gz
libapache-mod-auth-kerb_4.996-5.0-rc6-3.dsc
  to pool/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-3.dsc
libapache-mod-auth-kerb_4.996-5.0-rc6-3_i386.deb
  to pool/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-3_i386.deb
libapache2-mod-auth-kerb_4.996-5.0-rc6-3_i386.deb
  to pool/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-3_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 340360@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ghe Rivero <ghe@upsa.es> (supplier of updated libapache-mod-auth-kerb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 14 Dec 2005 12:39:55 +0100
Source: libapache-mod-auth-kerb
Binary: libapache-mod-auth-kerb libapache2-mod-auth-kerb
Architecture: source i386
Version: 4.996-5.0-rc6-3
Distribution: unstable
Urgency: low
Maintainer: Ghe Rivero <ghe@upsa.es>
Changed-By: Ghe Rivero <ghe@upsa.es>
Description: 
 libapache-mod-auth-kerb - apache module for Kerberos authentication
 libapache2-mod-auth-kerb - apache2 module for Kerberos authentication
Closes: 340360
Changes: 
 libapache-mod-auth-kerb (4.996-5.0-rc6-3) unstable; urgency=low
 .
   * Fix: GSSAPI fails with "Request is a replay" under krb5 1.4.3.
     Closes:#340360
   * Updated policy Version to 3.6.2
Files: 
 7e8f677ab8cc48e17f5b85ad2835dc38 776 web optional libapache-mod-auth-kerb_4.996-5.0-rc6-3.dsc
 2f60ca290c5d70784a721e21cad2ca84 40308 web optional libapache-mod-auth-kerb_4.996-5.0-rc6-3.diff.gz
 4523d26322b0c6206c060f1fd079acb8 24134 web optional libapache-mod-auth-kerb_4.996-5.0-rc6-3_i386.deb
 37f6d8f17acbe591f58c6f1df0bce8ab 25620 web optional libapache2-mod-auth-kerb_4.996-5.0-rc6-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDoIdC+YXjQAr8dHYRAjlPAJ9ttSox0pydDj66TYUOnf9sJOCAOACgwl+/
5XL9NTE0q3fmhNSpTFdNnQU=
=zA9M
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.