Re: [squid-users] Re: squid_kerb_auth on mac os x

From: Brian Kirk <bekirk_at_gmail.com>
Date: Fri, 27 Jun 2008 13:19:07 -0400

I am going through a simular nightmare in our environment, we
currently use NTLM auth and since we have over 6000 Internet users
this isn't very efficent. I can't get kerberos to work. I used the
./squid_kerb_auth_test program to generate the blob, and it is over
5000 characters long. The squid_kerb_auth seems limited to 4096, am I
going the have to alter squid_kerb_auth code or am I doing something
wrong to get that big of a blob?

On 6/7/08, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> Find below a small test program to create a token. Run a kinit as a user
> and then ./squid_kerb_auth_test proxy_fqdn. It creates a token like:
>
> ./squid_kerb_auth_test opensuse.suse.home
> Token:
> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq9OLL0umYzCethf/CUEcQ6+7xobZYVsyIJtsV9IwAFAscVVO4hbMW3jKbM8BYLts72QCShJPTgBlAaoWwCy/YpZezNwPnYDm2lYDjfPZ2/r23326SmXKtPbNT1VFc+yPwAMrYPCxJr92Cxg2OI4z1qQWcCdRR6c5tidX3SSH4rX+YJHEAVKD/mMsFXmO18iT08B/pG4HQ8BcGs3UvQh4hXwOrnSBeR4xonljtQ==
>
> Then set the keytab with export
> KRB5_KTNAME=FILE:/etc/squid/squid.keytab and run
> ./squid_kerb_auth -d -i -s HTTP/proxy_fqdn and enter the token starting with
> YR as follows (in one line)
>
> ./squid_kerb_auth -d -i -s
> HTTP/opensuse.suse.home_at_SUSE.HOME
> YR
> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA==
> 2008/06/07 22:52:11| squid_kerb_auth: Got 'YR
> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA=='
> from squid (length: 691).
> 2008/06/07 22:52:12| squid_kerb_auth: parseNegTokenInit failed with rc=109
> 2008/06/07 22:52:12| squid_kerb_auth: Token is possibly a GSSAPI token
> AF AA== markus_at_SUSE.HOME
> 2008/06/07 22:52:12| squid_kerb_auth: AF AA== markus_at_SUSE.HOME
> 2008/06/07 22:52:12| squid_kerb_auth: User markus_at_SUSE.HOME authenticated
>
>
> Regards
> Markus
>
> Compile gcc -o squid_kerb_auth_test squid_kerb_auth_test.c -lgssapi_krb5
> -lkrb5
>
> /*
> *
> -----------------------------------------------------------------------------
> *
> * Author: Markus Moeller (markus_moeller at compuserve.com)
> *
> * Copyright (C) 2007 Markus Moeller. All rights reserved.
> *
> * This program is free software; you can redistribute it and/or modify
> * it under the terms of the GNU General Public License as published by
> * the Free Software Foundation; either version 2 of the License, or
> * (at your option) any later version.
> *
> * This program is distributed in the hope that it will be useful,
> * but WITHOUT ANY WARRANTY; without even the implied warranty of
> * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> * GNU General Public License for more details.
> *
> * You should have received a copy of the GNU General Public License
> * along with this program; if not, write to the Free Software
> * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,
> USA.
> *
> *
> -----------------------------------------------------------------------------
> */
> /*
> * Hosted at http://sourceforge.net/projects/squidkerbauth
> */
>
> #ifndef HEIMDAL
> #include <profile.h>
> #endif
> #include <krb5.h>
>
> #include <unistd.h>
> #include <stdlib.h>
> #include <stdio.h>
> #include <string.h>
> #include <errno.h>
> #include <time.h>
> #include <sys/time.h>
>
> #ifdef HEIMDAL
> #include <gssapi.h>
> #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
> #else
> #include <gssapi/gssapi.h>
> #ifndef SOLARIS_11
> #include <gssapi/gssapi_generic.h>
> #else
> #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
> #endif
> #endif
>
> static const char *LogTime(void);
>
> int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const
> char* function);
>
> #define PROGRAM "squid_kerb_auth_test"
>
> static const char *LogTime()
> {
> struct tm *tm;
> struct timeval now;
> static time_t last_t = 0;
> static char buf[128];
>
> gettimeofday(&now, NULL);
> if (now.tv_sec != last_t) {
> tm = localtime(&now.tv_sec);
> strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
> last_t = now.tv_sec;
> }
> return buf;
> }
>
> #ifdef HAVE_SPNEGO
> #ifndef gss_mech_spnego
> static gss_OID_desc _gss_mech_spnego = {6, (void
> *)"\x2b\x06\x01\x05\x05\x02"};
> gss_OID gss_mech_spnego = &_gss_mech_spnego;
> #endif
> #endif
>
> int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const
> char* function){
> if (GSS_ERROR(major_status)) {
> OM_uint32 maj_stat,min_stat;
> OM_uint32 msg_ctx = 0;
> gss_buffer_desc status_string;
> char buf[1024];
> size_t len;
>
> len = 0;
> msg_ctx = 0;
> while (!msg_ctx) {
> /* convert major status code (GSS-API error) to text */
> maj_stat = gss_display_status(&min_stat, major_status,
> GSS_C_GSS_CODE,
> GSS_C_NULL_OID,
> &msg_ctx, &status_string);
> if (maj_stat == GSS_S_COMPLETE) {
> if (sizeof(buf) > len + status_string.length + 1) {
> sprintf(buf+len, "%s", (char*) status_string.value);
> len += status_string.length;
> }
> gss_release_buffer(&min_stat, &status_string);
> break;
> }
> gss_release_buffer(&min_stat, &status_string);
> }
> if (sizeof(buf) > len + 2) {
> sprintf(buf+len, "%s", ". ");
> len += 2;
> }
> msg_ctx = 0;
> while (!msg_ctx) {
> /* convert minor status code (underlying routine error) to text */
> maj_stat = gss_display_status(&min_stat, minor_status,
> GSS_C_MECH_CODE,
> GSS_C_NULL_OID,
> &msg_ctx, &status_string);
> if (maj_stat == GSS_S_COMPLETE) {
> if (sizeof(buf) > len + status_string.length ) {
> sprintf(buf+len, "%s", (char*) status_string.value);
> len += status_string.length;
> }
> gss_release_buffer(&min_stat, &status_string);
> break;
> }
> gss_release_buffer(&min_stat, &status_string);
> }
> fprintf(stderr, "%s| %s: %s failed: %s\n", LogTime(), PROGRAM, function,
> buf);
> return(1);
> }
> return(0);
> }
>
> static void base64_init(void);
>
> static int base64_initialized = 0;
> #define BASE64_VALUE_SZ 256
> #define BASE64_RESULT_SZ 8192
> int base64_value[BASE64_VALUE_SZ];
> const char base64_code[] =
> "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
>
> static void
> base64_init(void)
> {
> int i;
>
> for (i = 0; i < BASE64_VALUE_SZ; i++)
> base64_value[i] = -1;
>
> for (i = 0; i < 64; i++)
> base64_value[(int) base64_code[i]] = i;
> base64_value['='] = 0;
>
> base64_initialized = 1;
> }
>
> char *
> base64_decode(const char *p)
> {
> static char result[BASE64_RESULT_SZ];
> int j;
> int c;
> long val;
> if (!p)
> return NULL;
> if (!base64_initialized)
> base64_init();
> val = c = 0;
> for (j = 0; *p && j + 4 < BASE64_RESULT_SZ; p++) {
> unsigned int k = ((unsigned char) *p) % BASE64_VALUE_SZ;
> if (base64_value[k] < 0)
> continue;
> val <<= 6;
> val += base64_value[k];
> if (++c < 4)
> continue;
> /* One quantum of four encoding characters/24 bit */
> result[j++] = val >> 16; /* High 8 bits */
> result[j++] = (val >> 8) & 0xff; /* Mid 8 bits */
> result[j++] = val & 0xff; /* Low 8 bits */
> val = c = 0;
> }
> result[j] = 0;
> return result;
> }
>
> /* adopted from
> http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with
> adjustments */
> const char *
> base64_encode(const char *decoded_str)
> {
> static char result[BASE64_RESULT_SZ];
> int bits = 0;
> int char_count = 0;
> int out_cnt = 0;
> int c;
>
> if (!decoded_str)
> return decoded_str;
>
> if (!base64_initialized)
> base64_init();
>
> while ((c = (unsigned char) *decoded_str++) && out_cnt < sizeof(result) -
> 5) {
> bits += c;
> char_count++;
> if (char_count == 3) {
> result[out_cnt++] = base64_code[bits >> 18];
> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
> result[out_cnt++] = base64_code[bits & 0x3f];
> bits = 0;
> char_count = 0;
> } else {
> bits <<= 8;
> }
> }
> if (char_count != 0) {
> bits <<= 16 - (8 * char_count);
> result[out_cnt++] = base64_code[bits >> 18];
> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
> if (char_count == 1) {
> result[out_cnt++] = '=';
> result[out_cnt++] = '=';
> } else {
> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
> result[out_cnt++] = '=';
> }
> }
> result[out_cnt] = '\0'; /* terminate */
> return result;
> }
>
> /* adopted from
> http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with
> adjustments */
> const char *
> base64_encode_bin(const char *data, int len)
> {
> static char result[BASE64_RESULT_SZ];
> int bits = 0;
> int char_count = 0;
> int out_cnt = 0;
>
> if (!data)
> return data;
>
> if (!base64_initialized)
> base64_init();
>
> while (len-- && out_cnt < sizeof(result) - 5) {
> int c = (unsigned char) *data++;
> bits += c;
> char_count++;
> if (char_count == 3) {
> result[out_cnt++] = base64_code[bits >> 18];
> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
> result[out_cnt++] = base64_code[bits & 0x3f];
> bits = 0;
> char_count = 0;
> } else {
> bits <<= 8;
> }
> }
> if (char_count != 0) {
> bits <<= 16 - (8 * char_count);
> result[out_cnt++] = base64_code[bits >> 18];
> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
> if (char_count == 1) {
> result[out_cnt++] = '=';
> result[out_cnt++] = '=';
> } else {
> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
> result[out_cnt++] = '=';
> }
> }
> result[out_cnt] = '\0'; /* terminate */
> return result;
> }
> const char *squid_kerb_proxy_auth(char* principal_name, char *proxy) {
> int rc=0;
> OM_uint32 major_status, minor_status;
> gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
> gss_name_t server_name = GSS_C_NO_NAME;
> gss_buffer_desc service = GSS_C_EMPTY_BUFFER;
> gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
> gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
> const char *token = NULL;
>
> setbuf(stdout,NULL);
> setbuf(stdin,NULL);
>
> if (!proxy ) {
> fprintf(stderr, "%s| %s: Error: No proxy server name\n", LogTime(),
> PROGRAM);
> return NULL;
> }
>
> service.value = malloc(strlen("HTTP")+strlen(proxy)+2);
> snprintf(service.value,strlen("HTTP")+strlen(proxy)+2,"%s@%s","HTTP",proxy);
> service.length = strlen((char *)service.value);
>
> major_status = gss_import_name(&minor_status, &service,
> gss_nt_service_name, &server_name);
>
> if
> (check_gss_err(major_status,minor_status,"gss_import_name()")
> )
> goto cleanup;
>
> major_status = gss_init_sec_context(&minor_status,
> GSS_C_NO_CREDENTIAL,
> &gss_context,
> server_name,
> #ifdef HAVE_SPNEGO
> gss_mech_spnego,
> #else
> 0,
> #endif
> 0,
> 0,
> GSS_C_NO_CHANNEL_BINDINGS,
> &input_token,
> NULL,
> &output_token,
> NULL,
> NULL);
>
> if
> (check_gss_err(major_status,minor_status,"gss_init_sec_context()")
> )
> goto cleanup;
>
> if (output_token.length) {
>
> token = (const char*)base64_encode_bin((const
> char*)output_token.value,output_token.length);
> }
>
>
> cleanup:
> gss_delete_sec_context(&minor_status, &gss_context, NULL);
> gss_release_buffer(&minor_status, &service);
> gss_release_buffer(&minor_status, &input_token);
> gss_release_buffer(&minor_status, &output_token);
> gss_release_name(&minor_status, &server_name);
>
> return token;
> }
>
> int main(int argc, char *argv[]) {
>
> const char *Token;
>
> if (argc < 1) {
> fprintf(stderr, "%s| %s: Error: No proxy server name given\n",
> LogTime(), PROGRAM);
> exit(99);
> }
> Token = (const char *)squid_kerb_proxy_auth(NULL,argv[1]);
> fprintf(stdout,"Token: %s\n",Token?Token:"NULL");
>
> exit(0);
> }
>
>
>
>
>
>
>
> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
> news:g2c9kv$5vc$1_at_ger.gmane.org...
>
> > I can create a simple test tool to create blobs. I will post it later next
> week.
> >
> > Markus
> >
> > "Henrik Nordstrom" <henrik_at_henriknordstrom.net> wrote in message
> news:1212619464.15703.1.camel_at_henriknordstrom.net...
> >
> > > On ons, 2008-06-04 at 15:41 -0700, Alex Morken wrote:
> > >
> > >
> > > > Thank you Henrik. I kind of figured it needed something else, but I
> > > > wasn't sure what to put there. Where can I get or generate the
> > > > Kerberos GSSAPI blob I need for the input? I have been digging
> > > > around kerberos docs and haven't found what I needed.
> > > >
> > >
> > > Not sure. It's a kerberos authentication handshake, and initially
> > > depends on a challenge sent by the helper...
> > >
> > > Regards
> > > Henrik
> > >
> > >
> > >
> >
> >
> >
> >
>
>
>
Received on Fri Jun 27 2008 - 17:19:25 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 28 2008 - 12:00:04 MDT