... when using login=NEGOTIATE to authenticate via kerberos to a peer.
When specified, this option prevents Squid from crafting a kerberos
credentials cache from a keytab, but instead lets GSSAPI use an existing
credentials cache.
of queued requests.
<tag>cache_peer</tag>
+ <p>New option <em>auth-no-keytab</em> to let GSSAPI implementation determine
+ which Kerberos credentials to use, instead of specifying a keytab.
<p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed.
<p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>
<p>New option <em>tls-no-npn</em> to disable sending TLS NPN extension.
#if PEER_MULTICAST_SIBLINGS
bool mcast_siblings;
#endif
+ bool auth_no_keytab;
} options;
int weight;
++ serverConnection()->getPeer()->stats.fetches;
request->peer_login = serverConnection()->getPeer()->login;
request->peer_domain = serverConnection()->getPeer()->domain;
+ request->flags.auth_no_keytab = serverConnection()->getPeer()->options.auth_no_keytab;
httpStart(this);
} else {
assert(!request->flags.sslPeek);
request->peer_login = NULL;
request->peer_domain = NULL;
+ request->flags.auth_no_keytab = 0;
switch (request->url.getScheme()) {
#if USE_OPENSSL
bool ims :1;
/** request is authenticated */
bool auth :1;
+ /** do not use keytabs for peer Kerberos authentication */
+ bool auth_no_keytab :1;
/** he response to the request may be stored in the cache */
bool cachable :1;
/** the request can be forwarded through the hierarchy */
} else if (!strncmp(token, "login=", 6)) {
p->login = xstrdup(token + 6);
rfc1738_unescape(p->login);
+ } else if (!strcmp(token, "auth-no-keytab")) {
+ p->options.auth_no_keytab = 1;
} else if (!strncmp(token, "connect-timeout=", 16)) {
p->connect_timeout = xatoi(token + 16);
} else if (!strncmp(token, "connect-fail-limit=", 19)) {
Default is auto to automatically determine the status
of the peer.
+ auth-no-keytab
+ Do not use a keytab to authenticate to a peer when
+ login=NEGOTIATE is specified. Let the GSSAPI
+ implementation determine which already existing
+ credentials cache to use instead.
+
==== SSL / HTTPS / TLS OPTIONS ====
if (strncmp(request->peer_login, "NEGOTIATE",strlen("NEGOTIATE")) == 0) {
char *Token=NULL;
char *PrincipalName=NULL,*p;
+ int negotiate_flags = 0;
+
if ((p=strchr(request->peer_login,':')) != NULL ) {
PrincipalName=++p;
}
- Token = peer_proxy_negotiate_auth(PrincipalName, request->peer_host);
+ if (request->flags.auth_no_keytab) {
+ negotiate_flags |= PEER_PROXY_NEGOTIATE_NOKEYTAB;
+ }
+ Token = peer_proxy_negotiate_auth(PrincipalName, request->peer_host, negotiate_flags);
if (Token) {
httpHeaderPutStrf(hdr_out, header, "Negotiate %s",Token);
}
* peer_proxy_negotiate_auth gets a GSSAPI token for principal_name
* and base64 encodes it.
*/
-char *peer_proxy_negotiate_auth(char *principal_name, char *proxy) {
+char *peer_proxy_negotiate_auth(char *principal_name, char *proxy, int flags) {
int rc = 0;
OM_uint32 major_status, minor_status;
gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
return NULL;
}
- if (principal_name)
- debugs(11, 5,
- HERE << "Creating credential cache for " << principal_name);
- else
- debugs(11, 5, HERE << "Creating credential cache");
- rc = krb5_create_cache(NULL, principal_name);
- if (rc) {
- debugs(11, 5, HERE << "Error : Failed to create Kerberos cache");
- krb5_cleanup();
- return NULL;
+ if (!(flags & PEER_PROXY_NEGOTIATE_NOKEYTAB)) {
+ if (principal_name)
+ debugs(11, 5,
+ HERE << "Creating credential cache for " << principal_name);
+ else
+ debugs(11, 5, HERE << "Creating credential cache");
+ rc = krb5_create_cache(NULL, principal_name);
+ if (rc) {
+ debugs(11, 5, HERE << "Error : Failed to create Kerberos cache");
+ krb5_cleanup();
+ return NULL;
+ }
}
service.value = (void *) xmalloc(strlen("HTTP") + strlen(proxy) + 2);
#define SQUID_PEER_PROXY_NEGOTIATE_AUTH_H_
#if HAVE_AUTH_MODULE_NEGOTIATE && HAVE_KRB5 && HAVE_GSSAPI
+
+#define PEER_PROXY_NEGOTIATE_NOKEYTAB 1
+
/* upstream proxy authentication */
-SQUIDCEXTERN char *peer_proxy_negotiate_auth(char *principal_name, char *proxy);
+SQUIDCEXTERN char *peer_proxy_negotiate_auth(char *principal_name, char *proxy, int flags);
#endif
#endif /* SQUID_PEER_PROXY_NEGOTIATE_AUTH_H_ */
if (conn->getPeer()) {
tunnelState->request->peer_login = conn->getPeer()->login;
tunnelState->request->peer_domain = conn->getPeer()->domain;
+ tunnelState->request->flags.auth_no_keytab = conn->getPeer()->options.auth_no_keytab;
tunnelState->request->flags.proxying = !(conn->getPeer()->options.originserver);
} else {
tunnelState->request->peer_login = NULL;
tunnelState->request->peer_domain = NULL;
+ tunnelState->request->flags.auth_no_keytab = false;
tunnelState->request->flags.proxying = false;
}
if (srvConn->getPeer()) {
tunnelState->request->peer_login = srvConn->getPeer()->login;
tunnelState->request->peer_domain = srvConn->getPeer()->domain;
+ tunnelState->request->flags.auth_no_keytab = srvConn->getPeer()->options.auth_no_keytab;
tunnelState->request->flags.proxying = !(srvConn->getPeer()->options.originserver);
} else {
tunnelState->request->peer_login = NULL;
tunnelState->request->peer_domain = NULL;
+ tunnelState->request->flags.auth_no_keytab = false;
tunnelState->request->flags.proxying = false;
}
projects / thirdparty / squid.git / commitdiff
