[PATCH] SPNEGO version2

David Woodhouse dwmw2 at infradead.org
Thu Feb 19 07:01:49 PST 2015


On Thu, 2015-02-19 at 15:36 +0100, Nikos Mavrogiannopoulos wrote:
> On Thu, Feb 19, 2015 at 12:09 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> > On Thu, 2015-02-19 at 10:06 +0100, Nikos Mavrogiannopoulos wrote:
> >> Note that I've not generalized authentication outside spnego, mainly
> >> intentionally as I have no way to test it.
> > I really do want to see that generalised. It's not so hard to test it.
> > Just have a completely unrelated URL elsewhere which requires
> > authentication of whatever kind, and when you've authenticated you get
> > an HTTP redirect to the real ocserv URL.
> > Not only will that allow us to test other auth methods, it'll also allow
> > us to test the case of authenticating with GSSAPI to more than one
> > server -- which might happen in load-balancing scenarios.
> 
> The latter is orthogonal to the first one. For the latter we need to
> support alternative keytab. 

No, I don't think so. It's the same TGT, just different target servers.

Consider the case where I authenticate with HTTP to server
ocserv1.example.com only to receive an HTTP redirect to
ocserv2.example.com which *also* wants me to authenticate.

It's mostly just a case of resetting the authenticator state at the
right time, when we're redirected to a new host.

> For the first we need to add support for
> the headers of the other authentication methods. I could do the
> latter, but I'm really not inclined to spend time for the former. It
> is not easy to implement and test (for me at least) and I have no use
> case for it.

This shouldn't require duplicating effort. The problem is that you
haven't modelled your SPNEGO support around what we already have.

Take a look at the retry loop in process_http_proxy(). I would prefer
the HTTP authentication to look similar to that — where you currently
detect WWW-Authenticate: headers in process_http_response(), make that
look more like the proxy_hdrs() function. When do_https_request() sees a
401 response, make it jump back to the redirect: label to try again. And
add something akin to the if(auth) part of process_http_proxy(), which
will attempt to generate an Authorization: header, and fail the request
if all the auth options have been exhausted.

If you actually make *use* of the code which I'd already designed to be
fairly generic, rather than doing things differently, this should be
fairly easy.

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150219/a3b5768f/attachment.bin>


More information about the openconnect-devel mailing list