"Fossies" - the Fresh Open Source Software Archive

Member "mod_spnego-0.2.0/readme.txt" (22 Dec 2007, 18317 Bytes) of package /linux/www/apache_httpd_modules/old/mod_spnego-0.2.0.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 --------------------------------------------------------------------------------
    2 readme.txt is the mod_spnego read-me file.
    3 
    4 Author: Frank Balluffi and Markus Moeller
    5 
    6 Copyright (C) 2002-2007 Frank Balluffi and Markus Moeller. All rights reserved.
    7 --------------------------------------------------------------------------------
    8 
    9 mod_spnego Read Me
   10 
   11 Frank Balluffi and Markus Moeller
   12 August 19, 2005
   13 
   14 1 Introduction
   15 
   16 mod_spnego is a reference implementation Apache module that supports
   17 authentication via the RFC 2478 SPNEGO GSS-API mechanism. Currently, mod_spnego
   18 supports Apache 1.3 and 2.0 on Linux, Solaris and Windows.
   19 
   20 mod_spnego was originally written to handle RFC 2478 SPNEGO tokens sent by
   21 Microsoft Internet Explorer. Later, support for RFC 1964 Kerberos tokens (as
   22 sent by Mozilla Firefox on Linux) was added.
   23 
   24 mod_spnego uses the following libraries for older Kerberos libraries which do not support SPNEGO:
   25 
   26 - Apache
   27 - MIT GSS-API or HEIMDAL GSS-API or IBM AIX NAS or Sun Solaris SEAM
   28 - fbopenssl (only required if the Kerberos libraries don't support SPNEGO)
   29 
   30 fbopenssl contains extensions to OpenSSL, including APIs for GSS-API and SPNEGO.
   31 
   32 mod_spnego uses the following libraries for newer Kerberos libraries which do support SPNEGO:
   33 
   34 - Apache
   35 - MIT GSS-API or HEIMDAL GSS-API or IBM AIX NAS or Sun Solaris SEAM
   36 
   37 mod_spnego uses the following libraries on Windows platforms:
   38 
   39 - Apache
   40 - Windows SSPI 
   41 
   42 mod_spnego has been built and tested on Apache 1.3.29* and 2.0.46 on the
   43 following operating systems:
   44 
   45 - Microsoft Windows 2000 Server Service Pack 4 with Visual C++ .NET
   46 - Sun Solaris 2.8 (SunOS 5.8) with gcc 2.95
   47 - SuSE Linux 8.2 with gcc 3.3
   48 - IBM AIX with xlc
   49 
   50 mod_spnego has been tested with the following clients:
   51 
   52 Microsoft Internet Explorer on Windows XP Service Pack 1
   53 Mozilla Firefox 1.0 on Windows XP Service Pack 1
   54 Mozilla Firefox 1.0 on SuSE Linux 8
   55 
   56 mod_spnego still lacks the following:
   57 
   58 - group authorization files
   59 
   60 For more information about open issues, see the Open Issues section (below).
   61 
   62 * The authors were not able to install Apache 1.3.29 on Windows, so
   63   Apache 1.3.28 was used.
   64 
   65 2 Building and Installation
   66 
   67 2.1 Linux and UNIX
   68 
   69 Build and install Apache. For example, Apache 1.3:
   70 
   71 [Get apache_1.3.29.tar.gz.]
   72 gunzip apache_1.3.29.tar.gz
   73 tar xvf apache_1.3.29.tar
   74 cd apache_1.3.29
   75 ./configure --prefix=/test/ballfra/apache --enable-module=most --enable-shared=max
   76 make
   77 make install
   78 
   79 and for Apache 2.0:
   80 
   81 [Get httpd-2.0.46.tar.gz.]
   82 gzip -d httpd-2.0.46.tar.gz
   83 tar xvf httpd-2.0.46.tar
   84 cd httpd-2.0.46
   85 ./configure --prefix=/test/ballfra/apache2 --enable-so
   86 make
   87 make install
   88 
   89 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   90 ~~~~~ Only needed for older Kerberos implementation ~~~~~
   91 ~~~~~ Use -DHAVE_SPNEGO with axps or axps2 ~~~~~~~~~~~~~~
   92 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   93 
   94 Build OpenSSL. For example:
   95 
   96 [Get openssl-0.9.7b.tar.gz.]
   97 gunzip openssl-0.9.7b.tar.gz
   98 tar xvf openssl-0.9.7b.tar
   99 cd openssl-0.9.7b
  100 ./config shared
  101 make
  102 
  103 Define the environment variable OPENSSLDIR to point to OpenSSL. For example:
  104 
  105 echo $OPENSSLDIR
  106 /home/ballfra/external/openssl-0.9.7b
  107 
  108 If OpenSSL has been installed, change the following line in Makefile from:
  109 
  110 SSLLIB = -Wl,-R$(OPENSSLDIR) -L$(OPENSSLDIR) -lcrypto
  111 
  112 to:
  113 
  114 SSLLIB = -Wl,-R$(OPENSSLDIR)/lib -L$(OPENSSLDIR)/lib -lcrypto
  115 
  116 Build fbopenssl. For example:
  117 
  118 cd fbopenssl
  119 make CFG=release
  120 
  121 Define the environment variable FBOPENSSLDIR to point to fbopenssl. For example:
  122 
  123 echo $FBOPENSSLDIR
  124 home/ballfra/src/fbopenssl
  125 
  126 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  127 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  128 
  129 Build MIT GSS-API. For example:
  130 
  131 [Get krb5-1.2.8.tar.gz.]
  132 gunzip krb5-1.2.8.tar.gz
  133 tar xvf krb5-1.2.8.tar
  134 cd krb5-1.2.8/src
  135 ./configure --enable-shared --with-cc=gcc
  136 make
  137 
  138 To build version (MIT GSS-API) 1.3.1 with gcc, use "./configure --enable-shared CC=gcc".
  139 
  140 Define the environment variable KRB5DIR to point to MIT KRB5. For example:
  141 
  142 echo $KRB5DIR
  143 home/ballfra/external/krb5-1.2.8
  144 
  145 Build and install mod_spnego. For example, Apache 1.3:
  146 
  147 ~~~~~ Only needed for older Kerberos implementation ~~~~~
  148 MYCFLAGS="-I${KRB5DIR}/src/include -I${FBOPENSSLDIR}/include -I${OPENSSLDIR}/include"
  149 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi_krb5 -L${FBOPENSSLDIR}/SunOS-debug -lfbopenssl -L${OPENSSLDIR} -lcrypto"
  150 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  151 MYCFLAGS="-DHAVE_SPNEGO -I${KRB5DIR}/src/include"
  152 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi_krb5" 
  153 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  154 rm mod_spnego.o mod_spnego.so unix-env.o
  155 rm -fr .libs
  156 /test/ballfra/apache/bin/apxs -c -a -i -D APACHE13 -D HAVE_PUTENV $MYCFLAGS $MYLDFLAGS mod_spnego.c unix-env.c
  157 
  158 or for HEIMDAL
  159 
  160 ~~~~~ Only needed for older Kerberos implementation ~~~~~
  161 MYCFLAGS="-I${KRB5DIR}/src/include -I${FBOPENSSLDIR}/include -I${OPENSSLDIR}/include"
  162 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi -L${FBOPENSSLDIR}/SunOS-debug -lfbopenssl -L${OPENSSLDIR} -lcrypto"
  163 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  164 MYCFLAGS="-DHAVE_SPNEGO -I${KRB5DIR}/src/include"
  165 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi" 
  166 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  167 rm mod_spnego.o mod_spnego.so unix-env.o
  168 rm -fr .libs
  169 /test/ballfra/apache/bin/apxs -c -a -i -D HEIMDAL -D APACHE13 -D HAVE_PUTENV $MYCFLAGS $MYLDFLAGS mod_spnego.c unix-env.c
  170 
  171 and for Apache 2.0:
  172 
  173 ~~~~~ Only needed for older Kerberos implementation ~~~~~
  174 MYCFLAGS="-I${KRB5DIR}/src/include -I${FBOPENSSLDIR}/include -I${OPENSSLDIR}/include"
  175 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi_krb5 -L${FBOPENSSLDIR}/SunOS-debug -lfbopenssl -L${OPENSSLDIR} -lcrypto"
  176 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  177 MYCFLAGS="-DHAVE_SPNEGO -I${KRB5DIR}/src/include"
  178 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi_krb5" 
  179 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  180 rm mod_spnego.o
  181 rm -fr .libs
  182 /test/ballfra/apache2/bin/apxs2 -c -a -i $MYCFLAGS $MYLDFLAGS mod_spnego.c
  183 
  184 Modify environment variable LD_LIBRARY_PATH to include directories containing
  185 libcrypto.so and libgssapi_krb5.so.
  186 
  187 or for HEIMDAL
  188 
  189 ~~~~~ Only needed for older Kerberos implementation ~~~~~
  190 MYCFLAGS="-I${KRB5DIR}/src/include -I${FBOPENSSLDIR}/include -I${OPENSSLDIR}/include"
  191 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi -L${FBOPENSSLDIR}/SunOS-debug -lfbopenssl -L${OPENSSLDIR} -lcr
  192 ypto"
  193 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  194 MYCFLAGS="-DHAVE_SPNEGO -I${KRB5DIR}/src/include"
  195 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi" 
  196 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  197 rm mod_spnego.o
  198 rm -fr .libs
  199 /test/ballfra/apache2/bin/apxs2 -c -a -i -D HEIMDAL $MYCFLAGS $MYLDFLAGS mod_spnego.c
  200 
  201 or for IBM AIX NAS with IBM HTTP Server 6.0.2.0)
  202 
  203 
  204 ~~~~~ Only needed for older Kerberos implementation ~~~~~
  205 MYCFLAGS="-I/opt/freeware/include"
  206 MYLDFLAGS="-L/opt/freeware/lib -lgssapi_krb5 -lfbopenssl -lcrypto" 
  207 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  208 MYCFLAGS="-DHAVE_SPNEGO -I/opt/freeware/include"
  209 MYLDFLAGS="-L/opt/freeware/lib -lgssapi_krb5"
  210 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  211 rm mod_spnego.o
  212 rm -fr .libs
  213 /usr/IBMIHS/bin/apxs  -c -a -i -D HAVE_PUTENV $MYCFLAGS $MYLDFLAGS mod_spnego.c 
  214 
  215 with libfbopenssl.a in /opt/freeware/lib, fbopenssl headers in /opt/freeware/include, openssl from the AIX Linux Toolkits and xlc compiler.
  216 
  217 or for Sun Solaris SEAM 
  218 
  219 ~~~~~ Only needed for older Kerberos implementation ~~~~~
  220 MYCFLAGS="-I/usr/sfw/include -Wc,-g"
  221 MYLDFLAGS="-lgss -L/usr/sfw/lib -Wl,-R/usr/sfw/lib -lfbopenssl -lcrypto"
  222 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  223 MYCFLAGS="-DHAVE_SPNEGO -I/usr/sfw/include -Wc,-g"
  224 MYLDFLAGS="-lgss -L/usr/sfw/lib -Wl,-R/usr/sfw/lib"
  225 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  226 rm mod_spnego.la mod_spnego.lo mod_spnego.o mod_spnego.slo
  227 rm -fr .libs
  228 /usr/apache2/bin/apxs -c -a -i -DSEAM -D HAVE_PUTENV $MYCFLAGS $MYLDFLAGS mod_spnego.c
  229 
  230 with libfbopenssl.a in /usr/sfw/lib and fbopenssl headers in /usr/sfw/include 
  231 
  232 2.2 Windows
  233 
  234 Install Apache 1.3 or Apache 2.0.
  235 For Apache 1.3, define the environment variable APACHE13DIR to point to
  236 Apache 1.3. For example:
  237 
  238 echo %APACHE13DIR%
  239 C:\Program Files\Apache Group\Apache
  240 
  241 For Apache 2.0, define the environment variable APACHE2DIR to point to
  242 Apache 2.0. For example:
  243 
  244 echo %APACHE2DIR%
  245 C:\Program Files\Apache Group\Apache2
  246 
  247 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  248 ~~~~~ Only needed for older Kerberos implementation ~~~~~
  249 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  250 Build OpenSSL.
  251 Define the environment variable OPENSSLDIR to point to OpenSSL. For example:
  252 
  253 echo %OPENSSLDIR%
  254 C:\external\openssl-0.9.7b
  255 
  256 Build fbopenssl.
  257 Define the environment variable FBOPENSSLDIR to point to fbopenssl. For example:
  258 
  259 echo %FBOPENSSLDIR%
  260 C:\frank\src\fbopenssl
  261 
  262 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  263 ~~~~~ Only needed for newer Kerberis implementation and ~
  264 ~~~~~ if not Windows SSPI is used ~~~~~~~~~~~~~~~~~~~~~~~
  265 ~~~~~ Update mod_spnego.sln with HAVE_SPNEGO ~~~~~~~~~~~~
  266 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  267 
  268 Build MIT GSS-API.
  269 Define the environment variable KRB5DIR to point to MIT KRB5. For example:
  270 
  271 echo %KRB5DIR%
  272 C:\external\kfw-2.1.2
  273 
  274 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  275 ~~~~~ If Windows SSPI is used ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  276 ~~~~~ Update mod_spnego.sln with HAVE_SSPI ~~~~~~~~~~~~~~
  277 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  278 
  279 Using Visual C++ .NET, build the following Win32 Debug and Win32 Release
  280 configurations:
  281 
  282 mod_spnego\mod_spnego.sln
  283 mod_spnego\mod_spnego_have_spnego.sln
  284 mod_spnego\mod_spnego_have_sspi.sln
  285 
  286 Install mod_spnego. Note that mod_spnego is named mod_spnego.so on Windows, not
  287 mod_spnego.dll.
  288 
  289 3 Configuration
  290 
  291 Obtain a keytab file for the service HTTP for your server (only if SSPI is not used).
  292 
  293 Copy the keytab file to the default location or define the environment
  294 variable KRB5_KTNAME to point to the keytab file. The default keytab files for
  295 UNIX and Windows are /etc/krb5.keytab and \winnt\krb5kt. When defining
  296 KRB5_KTNAME on Windows, use backslashes (not forward slashes) and do not specify
  297 a drive letter (e.g., C:).
  298 
  299 For each directory that you want to secure, specify the following directives
  300 inside an httpd.conf Directory directive:
  301 
  302 AllowOverride AuthConfig
  303 [Krb5KeyTabFile key-tab-file]
  304 Krb5ServiceName service-name
  305 
  306 where service-name is a list of Kerberos version 5 service name to be used by
  307 mod_spnego (e.g., HTTP http khttp) and key-tab-file points to a Kerberos version 5 keytab
  308 file. The lowercase http has been seen from Mac Browsers and khttp was in some Mozilla 
  309 versions used.
  310  You can also use GSS_C_NO_NAME to match any service name.
  311 
  312 For example:
  313 
  314 <Directory "/home/bob/apache2/htdocs">
  315     Options Indexes FollowSymLinks
  316     AllowOverride AuthConfig
  317     Order allow,deny
  318     Allow from all
  319 # not valid with SSPI
  320     Krb5KeyTabFile /home/alice/krb5kt
  321 #
  322     Krb5ServiceName HTTP
  323 </Directory>
  324 
  325 The Krb5KeyTabFile directive(not valid with SSPI) causes the environment variable KRB5_KTNAME to be
  326 set. Please note that the authors were not able to successfully place a keytab
  327 file in a place other than \winnt\krb5kt on Windows 2000.
  328 With SSPI add the service principal to the machine account on which Apache is running using setpsn.
  329 e.g. SETSPN -A HTTP/server.domain server
  330 
  331 
  332 Inside each (file system) directory, create a file named .htaccess file
  333 containing the following:
  334 
  335 AuthType SPNEGO
  336 Require {user user-list} | valid-user
  337 
  338 where user-list is a list of Kerberos principal names separated by spaces that
  339 are authorized to access the directory's files.
  340 
  341 For example:
  342 
  343 AuthType SPNEGO
  344 Require user alice@FOO.COM bob@FOO.COM david@FOO.COM
  345 
  346 or
  347 
  348 AuthType SPNEGO
  349 Require valid-user
  350 
  351 Please note that the authors have experienced inconsistent behavior when the
  352 AllowOverride directive is set to None and no .htaccess file is used (see Open
  353 Issues).
  354 
  355 By default, mod_spnego requires Kerberos authentication for each HTTP request.
  356 To configure mod_spnego on Apache 2.0 or higher to only require Kerberos
  357 authentication for the first request in each HTTP 1.1 Keep-Alive connection,
  358 specify the following httpd.conf server directive:
  359 
  360 Krb5AuthEachReq Off
  361 
  362 By default, Krb5AuthEachReq is set to On. Krb5AuthEachReq is not supported on
  363 Apache 1.3.
  364 
  365 To create a http/hostname@REALM.COM service principal you have to copy the 
  366 HTTP/hostname@REALM.COM entry in the keytab (As far as I know you cannot have a HTTP and 
  367 http service principal in AD for the same server)
  368 
  369 First do a list of the keytab file (I am assuming you use MIT Kerberos):
  370 
  371 # klist -k -e -K -t /etc/httpd/HTTP.keytab
  372 Keytab name: FILE:/etc/httpd/HTTP.keytab
  373 KVNO Timestamp Principal
  374 ---- ----------------- --------------------------------------------------------
  375 1 11/29/04 11:42:25 HTTP/moelma.test.com@TEST.COM (ArcFour with HMAC/md5) (0x0d41ede6808
  376 2fc5b8611dc5da75b5d4f)
  377 
  378 Then do a ktutil with the following commands:
  379 #ktutil
  380 ktutil: addent -key -p http/moelma.test.com@TEST.COM -k 1 -e rc4-hmac
  381 Key for http/moelma.test.com@TEST.COM (hex): 0d41ede68082fc5b8611dc5da75b5d4f
  382 ktutil: wkt /etc/httpd/HTTP.keytab
  383 ktutil: quit
  384 
  385 Use the same kvno and enc-type as the HTTP entry. This should create a second entry 
  386 (with the service name http) to the keytab with the same key as for the HTTP service.
  387 
  388 4 Architecture
  389 
  390  -------------------------
  391 | Apache                  |
  392 |-------------------------|
  393 | mod_spnego              |
  394 |-------------------------|
  395 | fbopenssl | MIT GSS-API |
  396 |-----------|-------------
  397 | OpenSSL   |
  398  -----------
  399 
  400 5 Debugging
  401 
  402 5.1 Windows
  403 
  404 The authors were not able to successfully attach a debugger on Windows by
  405 calling DebugBreak (or __asm {int 3}), but were able to debug mod_spnego within
  406 Visual Studio:
  407 
  408 Open module in Visual Studio.
  409 Build debug version of module.
  410 Configure project's Debugging property to run "Apache.exe -X". For example:
  411 
  412 Command:           C:\Program Files\Apache Group\Apache2\bin\Apache.exe
  413 Command Arguments: -X
  414 Working Directory: C:\Program Files\Apache Group\Apache2\bin
  415 
  416 Configure httpd.conf to point to debug version of module.
  417 From Visual Studio, set breakpoints and run debugger (F5).
  418 
  419 Please note that the command-line option -X is documented for httpd on Linux and
  420 UNIX, but not for Apache.exe on Windows. "apache.exe /?" does not list -X.
  421 
  422 6 References
  423 
  424 Baize, E. and Pinkas, D. RFC 2478: The Simple and Protected GSS-API Negotiation
  425 Mechanism. December 1998.
  426 
  427 Brezak, J. Internet Draft: HTTP Authentication: SPNEGO Access Authentication As
  428 implemented in Microsoft Windows 2000 (draft-brezak-spnego-http-04.txt). October
  429 2002.
  430 
  431 Surati, Sanj and Muckin, Michael. HTTP-Based Cross-Platform Authentication via
  432 the Negotiate Protocol Part I  Network Infrastructure
  433 (http://msdn.microsoft.com/library/en-us/dnsecure/html/http-sso-1.asp). December
  434 2002.
  435 
  436 Surati, Sanj and Muckin, Michael. HTTP-Based Cross-Platform Authentication via
  437 the Negotiate Protocol Part II  SPNEGO Tokens and the Negotiate Protocol
  438 (http://msdn.microsoft.com/library/en-us/dnsecure/html/http-sso-2.asp). December
  439 2002.
  440 
  441 Surati, Sanj and Muckin, Michael. HTTP-Based Cross-Platform Authentication via
  442 the Negotiate Protocol Part III  SPNEGO Token Handler API
  443 (http://msdn.microsoft.com/library/en-us/dnsecure/html/http-sso-3.asp). December
  444 2002.
  445 
  446 Tschalar, Ronald. NTLM Authentication Scheme for HTTP
  447 (http://www.innovation.ch/java/ntlm.html). June 17, 2003.
  448 
  449 7 Bug Fixes and Enhancements
  450 
  451 2003-11-14 mod_spnego.c:184 Fixed apr_pcalloc call to take length, not address
  452 of value.
  453 
  454 2004-01-19 Applied patch from Frank Taylor to handle SPNEGO tokens containing
  455 Microsoft legacy object identifier 1.2.840.48018.1.2.2.
  456 
  457 2005-01-24 Added support for server directive Krb5AuthEachReq on Apache 2.0.
  458 Implementation is based on code from Horst Reiterer of Fabalabs.
  459 
  460 2005-01-25 Added support for RFC 1964 Kerberos tokens as sent by Firefox on
  461 Linux.
  462 
  463 2005-04-14 Added detection and logging of NTLM tokens.
  464 
  465 2005-08-08 Changed Krb5ServiceName to be a list of service names.
  466            Added the possibility of using Virtual Hosts
  467 
  468 2005-08-19 Fix logging issues and empty require line
  469 
  470 2007-10-27 Changed license from GPL to Apache 2.0
  471 
  472 2007-10-27 Add option HAVE_SPNEGO as newer Keberos libraries support SPNEGO too
  473 
  474 8 Open Issues
  475 
  476 Modify makeSpnegoTargetToken and parseSpnegoInitialToken so that caller
  477 allocates memory with apr_pcalloc?
  478 
  479 Test log levels to control log output.
  480 
  481 Make success log messages user friendly. For example:
  482 
  483 mod_spnego: authentication hook handling request
  484 mod_spnego: authentication hook sending "WWW-Authenticate: Negotiate"
  485 mod_spnego: authentication hook returning 401
  486 mod_spnego: authentication hook handling request for user %s
  487 mod_spnego: authentication hook sending "WWW-Authenticate: Negotiate" and SPNEGO token
  488 mod_spnego: authentication hook returning %d
  489 mod_spnego: authorization hook handling request for user %s
  490 mod_spnego: authorization hook returning %d
  491 
  492 How expensive is calling gss_import_name and gss_acquire_cred per request? Is it
  493 necessary to call these functions per request?
  494 
  495 Add debug directives to write input and output SPNEGO tokens to files?
  496 
  497 gss_accept_sec_context seems to return 851968 if there is too much time skew
  498 between client and server. GSS-API? Is it possible to programmatically determine
  499 that gss_accept_sec_context failed because of time skew? Also, mod_spnego does
  500 not include KRB-ERROR message output by gss_accept_sec_context in SPNEGO
  501 response token.
  502 
  503 Test with no Require directive in .htaccess.
  504 
  505 Should the Krb5ServiceName directive be mandatory? SPNEGO_CONFIG's
  506 krb5ServiceName element could be initialized to "HTTP".
  507 
  508 The authors were not able to successfully place a keytab file in a place other
  509 than \winnt\krb5kt on Windows 2000.
  510 
  511 Windows project and solution files were built with Visual C++ .NET 2003.
  512 
  513 For Apache 1.3 on Solaris, make sure each Directory directive contains the
  514 following directive:
  515 
  516     AllowOverride AuthConfig
  517 
  518 On Apache 1.3 on Windows, apr_env_set (in win32-env.c) is forced to call
  519 SetEnvironmentVariableA.
  520 
  521 Test with "AllowOverride None" and the following directives in httpd.conf, not
  522 in .htaccess:
  523 
  524 AuthType SPNEGO
  525 Require ...