[squid-users] Re: Re: squid_kerb_auth on mac os x

Brian,

 the read buffer in squid_kerb_auth is 6400 which I think should be
increased to 8192 the value used in squid for writing. The ticket is
usually only that big for users which are members of hundreds of Windows
Groups, which I have never seen before to be > 4k.

Can you try to increase in the main function the buffer buf to 8192 ?

Markus

"Brian Kirk" <bekirk_at_gmail.com> wrote in message
news:6ac1d44b0806271019t5ceef29di99902b366fcc21d4_at_mail.gmail.com...
>I am going through a simular nightmare in our environment, we
> currently use NTLM auth and since we have over 6000 Internet users
> this isn't very efficent. I can't get kerberos to work. I used the
> ./squid_kerb_auth_test program to generate the blob, and it is over
> 5000 characters long. The squid_kerb_auth seems limited to 4096, am I
> going the have to alter squid_kerb_auth code or am I doing something
> wrong to get that big of a blob?
>
> On 6/7/08, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>> Find below a small test program to create a token. Run a kinit as a user
>> and then ./squid_kerb_auth_test proxy_fqdn. It creates a token like:
>>
>> ./squid_kerb_auth_test opensuse.suse.home
>> Token:
>> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq9OLL0umYzCethf/CUEcQ6+7xobZYVsyIJtsV9IwAFAscVVO4hbMW3jKbM8BYLts72QCShJPTgBlAaoWwCy/YpZezNwPnYDm2lYDjfPZ2/r23326SmXKtPbNT1VFc+yPwAMrYPCxJr92Cxg2OI4z1qQWcCdRR6c5tidX3SSH4rX+YJHEAVKD/mMsFXmO18iT08B/pG4HQ8BcGs3UvQh4hXwOrnSBeR4xonljtQ==
>>
>> Then set the keytab with export
>> KRB5_KTNAME=FILE:/etc/squid/squid.keytab and run
>> ./squid_kerb_auth -d -i -s HTTP/proxy_fqdn and enter the token starting
>> with
>> YR as follows (in one line)
>>
>> ./squid_kerb_auth -d -i -s
>> HTTP/opensuse.suse.home_at_SUSE.HOME
>> YR
>> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA==
>> 2008/06/07 22:52:11| squid_kerb_auth: Got 'YR
>> YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA=='
>> from squid (length: 691).
>> 2008/06/07 22:52:12| squid_kerb_auth: parseNegTokenInit failed with
>> rc=109
>> 2008/06/07 22:52:12| squid_kerb_auth: Token is possibly a GSSAPI token
>> AF AA== markus_at_SUSE.HOME
>> 2008/06/07 22:52:12| squid_kerb_auth: AF AA== markus_at_SUSE.HOME
>> 2008/06/07 22:52:12| squid_kerb_auth: User markus_at_SUSE.HOME authenticated
>>
>>
>> Regards
>> Markus
>>
>> Compile gcc -o squid_kerb_auth_test squid_kerb_auth_test.c -lgssapi_krb5
>> -lkrb5
>>
>> /*
>> *
>> -----------------------------------------------------------------------------
>> *
>> * Author: Markus Moeller (markus_moeller at compuserve.com)
>> *
>> * Copyright (C) 2007 Markus Moeller. All rights reserved.
>> *
>> * This program is free software; you can redistribute it and/or modify
>> * it under the terms of the GNU General Public License as published by
>> * the Free Software Foundation; either version 2 of the License, or
>> * (at your option) any later version.
>> *
>> * This program is distributed in the hope that it will be useful,
>> * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>> * GNU General Public License for more details.
>> *
>> * You should have received a copy of the GNU General Public License
>> * along with this program; if not, write to the Free Software
>> * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,
>> USA.
>> *
>> *
>> -----------------------------------------------------------------------------
>> */
>> /*
>> * Hosted at http://sourceforge.net/projects/squidkerbauth
>> */
>>
>> #ifndef HEIMDAL
>> #include <profile.h>
>> #endif
>> #include <krb5.h>
>>
>> #include <unistd.h>
>> #include <stdlib.h>
>> #include <stdio.h>
>> #include <string.h>
>> #include <errno.h>
>> #include <time.h>
>> #include <sys/time.h>
>>
>> #ifdef HEIMDAL
>> #include <gssapi.h>
>> #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
>> #else
>> #include <gssapi/gssapi.h>
>> #ifndef SOLARIS_11
>> #include <gssapi/gssapi_generic.h>
>> #else
>> #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
>> #endif
>> #endif
>>
>> static const char *LogTime(void);
>>
>> int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const
>> char* function);
>>
>> #define PROGRAM "squid_kerb_auth_test"
>>
>> static const char *LogTime()
>> {
>> struct tm *tm;
>> struct timeval now;
>> static time_t last_t = 0;
>> static char buf[128];
>>
>> gettimeofday(&now, NULL);
>> if (now.tv_sec != last_t) {
>> tm = localtime(&now.tv_sec);
>> strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
>> last_t = now.tv_sec;
>> }
>> return buf;
>> }
>>
>> #ifdef HAVE_SPNEGO
>> #ifndef gss_mech_spnego
>> static gss_OID_desc _gss_mech_spnego = {6, (void
>> *)"\x2b\x06\x01\x05\x05\x02"};
>> gss_OID gss_mech_spnego = &_gss_mech_spnego;
>> #endif
>> #endif
>>
>> int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const
>> char* function){
>> if (GSS_ERROR(major_status)) {
>> OM_uint32 maj_stat,min_stat;
>> OM_uint32 msg_ctx = 0;
>> gss_buffer_desc status_string;
>> char buf[1024];
>> size_t len;
>>
>> len = 0;
>> msg_ctx = 0;
>> while (!msg_ctx) {
>> /* convert major status code (GSS-API error) to text */
>> maj_stat = gss_display_status(&min_stat, major_status,
>> GSS_C_GSS_CODE,
>> GSS_C_NULL_OID,
>> &msg_ctx, &status_string);
>> if (maj_stat == GSS_S_COMPLETE) {
>> if (sizeof(buf) > len + status_string.length + 1) {
>> sprintf(buf+len, "%s", (char*) status_string.value);
>> len += status_string.length;
>> }
>> gss_release_buffer(&min_stat, &status_string);
>> break;
>> }
>> gss_release_buffer(&min_stat, &status_string);
>> }
>> if (sizeof(buf) > len + 2) {
>> sprintf(buf+len, "%s", ". ");
>> len += 2;
>> }
>> msg_ctx = 0;
>> while (!msg_ctx) {
>> /* convert minor status code (underlying routine error) to text */
>> maj_stat = gss_display_status(&min_stat, minor_status,
>> GSS_C_MECH_CODE,
>> GSS_C_NULL_OID,
>> &msg_ctx, &status_string);
>> if (maj_stat == GSS_S_COMPLETE) {
>> if (sizeof(buf) > len + status_string.length ) {
>> sprintf(buf+len, "%s", (char*) status_string.value);
>> len += status_string.length;
>> }
>> gss_release_buffer(&min_stat, &status_string);
>> break;
>> }
>> gss_release_buffer(&min_stat, &status_string);
>> }
>> fprintf(stderr, "%s| %s: %s failed: %s\n", LogTime(), PROGRAM,
>> function,
>> buf);
>> return(1);
>> }
>> return(0);
>> }
>>
>> static void base64_init(void);
>>
>> static int base64_initialized = 0;
>> #define BASE64_VALUE_SZ 256
>> #define BASE64_RESULT_SZ 8192
>> int base64_value[BASE64_VALUE_SZ];
>> const char base64_code[] =
>> "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
>>
>> static void
>> base64_init(void)
>> {
>> int i;
>>
>> for (i = 0; i < BASE64_VALUE_SZ; i++)
>> base64_value[i] = -1;
>>
>> for (i = 0; i < 64; i++)
>> base64_value[(int) base64_code[i]] = i;
>> base64_value['='] = 0;
>>
>> base64_initialized = 1;
>> }
>>
>> char *
>> base64_decode(const char *p)
>> {
>> static char result[BASE64_RESULT_SZ];
>> int j;
>> int c;
>> long val;
>> if (!p)
>> return NULL;
>> if (!base64_initialized)
>> base64_init();
>> val = c = 0;
>> for (j = 0; *p && j + 4 < BASE64_RESULT_SZ; p++) {
>> unsigned int k = ((unsigned char) *p) % BASE64_VALUE_SZ;
>> if (base64_value[k] < 0)
>> continue;
>> val <<= 6;
>> val += base64_value[k];
>> if (++c < 4)
>> continue;
>> /* One quantum of four encoding characters/24 bit */
>> result[j++] = val >> 16; /* High 8 bits */
>> result[j++] = (val >> 8) & 0xff; /* Mid 8 bits */
>> result[j++] = val & 0xff; /* Low 8 bits */
>> val = c = 0;
>> }
>> result[j] = 0;
>> return result;
>> }
>>
>> /* adopted from
>> http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with
>> adjustments */
>> const char *
>> base64_encode(const char *decoded_str)
>> {
>> static char result[BASE64_RESULT_SZ];
>> int bits = 0;
>> int char_count = 0;
>> int out_cnt = 0;
>> int c;
>>
>> if (!decoded_str)
>> return decoded_str;
>>
>> if (!base64_initialized)
>> base64_init();
>>
>> while ((c = (unsigned char) *decoded_str++) && out_cnt <
>> sizeof(result) -
>> 5) {
>> bits += c;
>> char_count++;
>> if (char_count == 3) {
>> result[out_cnt++] = base64_code[bits >> 18];
>> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
>> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
>> result[out_cnt++] = base64_code[bits & 0x3f];
>> bits = 0;
>> char_count = 0;
>> } else {
>> bits <<= 8;
>> }
>> }
>> if (char_count != 0) {
>> bits <<= 16 - (8 * char_count);
>> result[out_cnt++] = base64_code[bits >> 18];
>> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
>> if (char_count == 1) {
>> result[out_cnt++] = '=';
>> result[out_cnt++] = '=';
>> } else {
>> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
>> result[out_cnt++] = '=';
>> }
>> }
>> result[out_cnt] = '\0'; /* terminate */
>> return result;
>> }
>>
>> /* adopted from
>> http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with
>> adjustments */
>> const char *
>> base64_encode_bin(const char *data, int len)
>> {
>> static char result[BASE64_RESULT_SZ];
>> int bits = 0;
>> int char_count = 0;
>> int out_cnt = 0;
>>
>> if (!data)
>> return data;
>>
>> if (!base64_initialized)
>> base64_init();
>>
>> while (len-- && out_cnt < sizeof(result) - 5) {
>> int c = (unsigned char) *data++;
>> bits += c;
>> char_count++;
>> if (char_count == 3) {
>> result[out_cnt++] = base64_code[bits >> 18];
>> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
>> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
>> result[out_cnt++] = base64_code[bits & 0x3f];
>> bits = 0;
>> char_count = 0;
>> } else {
>> bits <<= 8;
>> }
>> }
>> if (char_count != 0) {
>> bits <<= 16 - (8 * char_count);
>> result[out_cnt++] = base64_code[bits >> 18];
>> result[out_cnt++] = base64_code[(bits >> 12) & 0x3f];
>> if (char_count == 1) {
>> result[out_cnt++] = '=';
>> result[out_cnt++] = '=';
>> } else {
>> result[out_cnt++] = base64_code[(bits >> 6) & 0x3f];
>> result[out_cnt++] = '=';
>> }
>> }
>> result[out_cnt] = '\0'; /* terminate */
>> return result;
>> }
>> const char *squid_kerb_proxy_auth(char* principal_name, char *proxy) {
>> int rc=0;
>> OM_uint32 major_status, minor_status;
>> gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT;
>> gss_name_t server_name = GSS_C_NO_NAME;
>> gss_buffer_desc service = GSS_C_EMPTY_BUFFER;
>> gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
>> gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
>> const char *token = NULL;
>>
>> setbuf(stdout,NULL);
>> setbuf(stdin,NULL);
>>
>> if (!proxy ) {
>> fprintf(stderr, "%s| %s: Error: No proxy server name\n", LogTime(),
>> PROGRAM);
>> return NULL;
>> }
>>
>> service.value = malloc(strlen("HTTP")+strlen(proxy)+2);
>> snprintf(service.value,strlen("HTTP")+strlen(proxy)+2,"%s@%s","HTTP",proxy);
>> service.length = strlen((char *)service.value);
>>
>> major_status = gss_import_name(&minor_status, &service,
>> gss_nt_service_name, &server_name);
>>
>> if
>> (check_gss_err(major_status,minor_status,"gss_import_name()")
>> )
>> goto cleanup;
>>
>> major_status = gss_init_sec_context(&minor_status,
>> GSS_C_NO_CREDENTIAL,
>> &gss_context,
>> server_name,
>> #ifdef HAVE_SPNEGO
>> gss_mech_spnego,
>> #else
>> 0,
>> #endif
>> 0,
>> 0,
>> GSS_C_NO_CHANNEL_BINDINGS,
>> &input_token,
>> NULL,
>> &output_token,
>> NULL,
>> NULL);
>>
>> if
>> (check_gss_err(major_status,minor_status,"gss_init_sec_context()")
>> )
>> goto cleanup;
>>
>> if (output_token.length) {
>>
>> token = (const char*)base64_encode_bin((const
>> char*)output_token.value,output_token.length);
>> }
>>
>>
>> cleanup:
>> gss_delete_sec_context(&minor_status, &gss_context, NULL);
>> gss_release_buffer(&minor_status, &service);
>> gss_release_buffer(&minor_status, &input_token);
>> gss_release_buffer(&minor_status, &output_token);
>> gss_release_name(&minor_status, &server_name);
>>
>> return token;
>> }
>>
>> int main(int argc, char *argv[]) {
>>
>> const char *Token;
>>
>> if (argc < 1) {
>> fprintf(stderr, "%s| %s: Error: No proxy server name given\n",
>> LogTime(), PROGRAM);
>> exit(99);
>> }
>> Token = (const char *)squid_kerb_proxy_auth(NULL,argv[1]);
>> fprintf(stdout,"Token: %s\n",Token?Token:"NULL");
>>
>> exit(0);
>> }
>>
>>
>>
>>
>>
>>
>>
>> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
>> news:g2c9kv$5vc$1_at_ger.gmane.org...
>>
>> > I can create a simple test tool to create blobs. I will post it later
>> > next
>> week.
>> >
>> > Markus
>> >
>> > "Henrik Nordstrom" <henrik_at_henriknordstrom.net> wrote in message
>> news:1212619464.15703.1.camel_at_henriknordstrom.net...
>> >
>> > > On ons, 2008-06-04 at 15:41 -0700, Alex Morken wrote:
>> > >
>> > >
>> > > > Thank you Henrik. I kind of figured it needed something else, but
>> > > > I
>> > > > wasn't sure what to put there. Where can I get or generate the
>> > > > Kerberos GSSAPI blob I need for the input? I have been digging
>> > > > around kerberos docs and haven't found what I needed.
>> > > >
>> > >
>> > > Not sure. It's a kerberos authentication handshake, and initially
>> > > depends on a challenge sent by the helper...
>> > >
>> > > Regards
>> > > Henrik
>> > >
>> > >
>> > >
>> >
>> >
>> >
>> >
>>
>>
>>
>
Received on Fri Jun 27 2008 - 19:08:11 MDT