I am going through a simular nightmare in our environment, we currently use NTLM auth and since we have over 6000 Internet users this isn't very efficent. I can't get kerberos to work. I used the ./squid_kerb_auth_test program to generate the blob, and it is over 5000 characters long. The squid_kerb_auth seems limited to 4096, am I going the have to alter squid_kerb_auth code or am I doing something wrong to get that big of a blob? On 6/7/08, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > Find below a small test program to create a token. Run a kinit as a user > and then ./squid_kerb_auth_test proxy_fqdn. It creates a token like: > > ./squid_kerb_auth_test opensuse.suse.home > Token: > YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq9OLL0umYzCethf/CUEcQ6+7xobZYVsyIJtsV9IwAFAscVVO4hbMW3jKbM8BYLts72QCShJPTgBlAaoWwCy/YpZezNwPnYDm2lYDjfPZ2/r23326SmXKtPbNT1VFc+yPwAMrYPCxJr92Cxg2OI4z1qQWcCdRR6c5tidX3SSH4rX+YJHEAVKD/mMsFXmO18iT08B/pG4HQ8BcGs3UvQh4hXwOrnSBeR4xonljtQ== > > Then set the keytab with export > KRB5_KTNAME=FILE:/etc/squid/squid.keytab and run > ./squid_kerb_auth -d -i -s HTTP/proxy_fqdn and enter the token starting with > YR as follows (in one line) > > ./squid_kerb_auth -d -i -s > HTTP/opensuse.suse.home@xxxxxxxxx > YR > YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA== > 2008/06/07 22:52:11| squid_kerb_auth: Got 'YR > YIIB/gYJKoZIhvcSAQICAQBuggHtMIIB6aADAgEFoQMCAQ6iBwMFAAAAAACjggEWYYIBEjCCAQ6gAwIBBaELGwlTVVNFLkhPTUWiJTAjoAMCAQOhHDAaGwRIVFRQGxJvcGVuc3VzZS5zdXNlLmhvbWWjgdIwgc+gAwIBF6EDAgEDooHCBIG/3ZmN10yosQbc3IkfBaq/pW6LiWMyDFmxec6M13jhnBU36eKJL1cIsqp3EArME/dVR3Y0FC7QSguW4mNJrtr44vGQD8NdYGHqUxFWH7uIkLE9YnAQnuimj/pefsI7s4EKCo+cqlecVIx2aXtVuubicH1e+CSB+QlH7ZIWpAoCfaLFkxLl6OoZ42ixxou0e+aBCyZQ+1n3PH1Xts7MuFz+6OTQh+IhBWbQbLY54oKnCivjptbsLZH5D0uKS31i01ukgbkwgbagAwIBF6KBrgSBq7SAvkLhcONUUF5s01suOu2vdgwD2vxbYsT0DLgOYbH2w+dF9doOVk1D6rRTvjQmVN/SnS/SLXAwUIW776vYIhlzTGBQLioCypYRjmpGgq73A7//wC1b7/NXV5Ml6czAegeVHT0S01Y43kGtPihW1sO7fmKmn8Rak8qjKq6QNdQLnjK3wAnzf9KOnG6Hf0QlW/hQPSCelPN4EI7qyrDjMjVUKkiiLPnG1xxKtA==' > from squid (length: 691). > 2008/06/07 22:52:12| squid_kerb_auth: parseNegTokenInit failed with rc=109 > 2008/06/07 22:52:12| squid_kerb_auth: Token is possibly a GSSAPI token > AF AA== markus@xxxxxxxxx > 2008/06/07 22:52:12| squid_kerb_auth: AF AA== markus@xxxxxxxxx > 2008/06/07 22:52:12| squid_kerb_auth: User markus@xxxxxxxxx authenticated > > > Regards > Markus > > Compile gcc -o squid_kerb_auth_test squid_kerb_auth_test.c -lgssapi_krb5 > -lkrb5 > > /* > * > ----------------------------------------------------------------------------- > * > * Author: Markus Moeller (markus_moeller at compuserve.com) > * > * Copyright (C) 2007 Markus Moeller. All rights reserved. > * > * This program is free software; you can redistribute it and/or modify > * it under the terms of the GNU General Public License as published by > * the Free Software Foundation; either version 2 of the License, or > * (at your option) any later version. > * > * This program is distributed in the hope that it will be useful, > * but WITHOUT ANY WARRANTY; without even the implied warranty of > * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > * GNU General Public License for more details. > * > * You should have received a copy of the GNU General Public License > * along with this program; if not, write to the Free Software > * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, > USA. > * > * > ----------------------------------------------------------------------------- > */ > /* > * Hosted at http://sourceforge.net/projects/squidkerbauth > */ > > #ifndef HEIMDAL > #include <profile.h> > #endif > #include <krb5.h> > > #include <unistd.h> > #include <stdlib.h> > #include <stdio.h> > #include <string.h> > #include <errno.h> > #include <time.h> > #include <sys/time.h> > > #ifdef HEIMDAL > #include <gssapi.h> > #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE > #else > #include <gssapi/gssapi.h> > #ifndef SOLARIS_11 > #include <gssapi/gssapi_generic.h> > #else > #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE > #endif > #endif > > static const char *LogTime(void); > > int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const > char* function); > > #define PROGRAM "squid_kerb_auth_test" > > static const char *LogTime() > { > struct tm *tm; > struct timeval now; > static time_t last_t = 0; > static char buf[128]; > > gettimeofday(&now, NULL); > if (now.tv_sec != last_t) { > tm = localtime(&now.tv_sec); > strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm); > last_t = now.tv_sec; > } > return buf; > } > > #ifdef HAVE_SPNEGO > #ifndef gss_mech_spnego > static gss_OID_desc _gss_mech_spnego = {6, (void > *)"\x2b\x06\x01\x05\x05\x02"}; > gss_OID gss_mech_spnego = &_gss_mech_spnego; > #endif > #endif > > int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status, const > char* function){ > if (GSS_ERROR(major_status)) { > OM_uint32 maj_stat,min_stat; > OM_uint32 msg_ctx = 0; > gss_buffer_desc status_string; > char buf[1024]; > size_t len; > > len = 0; > msg_ctx = 0; > while (!msg_ctx) { > /* convert major status code (GSS-API error) to text */ > maj_stat = gss_display_status(&min_stat, major_status, > GSS_C_GSS_CODE, > GSS_C_NULL_OID, > &msg_ctx, &status_string); > if (maj_stat == GSS_S_COMPLETE) { > if (sizeof(buf) > len + status_string.length + 1) { > sprintf(buf+len, "%s", (char*) status_string.value); > len += status_string.length; > } > gss_release_buffer(&min_stat, &status_string); > break; > } > gss_release_buffer(&min_stat, &status_string); > } > if (sizeof(buf) > len + 2) { > sprintf(buf+len, "%s", ". "); > len += 2; > } > msg_ctx = 0; > while (!msg_ctx) { > /* convert minor status code (underlying routine error) to text */ > maj_stat = gss_display_status(&min_stat, minor_status, > GSS_C_MECH_CODE, > GSS_C_NULL_OID, > &msg_ctx, &status_string); > if (maj_stat == GSS_S_COMPLETE) { > if (sizeof(buf) > len + status_string.length ) { > sprintf(buf+len, "%s", (char*) status_string.value); > len += status_string.length; > } > gss_release_buffer(&min_stat, &status_string); > break; > } > gss_release_buffer(&min_stat, &status_string); > } > fprintf(stderr, "%s| %s: %s failed: %s\n", LogTime(), PROGRAM, function, > buf); > return(1); > } > return(0); > } > > static void base64_init(void); > > static int base64_initialized = 0; > #define BASE64_VALUE_SZ 256 > #define BASE64_RESULT_SZ 8192 > int base64_value[BASE64_VALUE_SZ]; > const char base64_code[] = > "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; > > static void > base64_init(void) > { > int i; > > for (i = 0; i < BASE64_VALUE_SZ; i++) > base64_value[i] = -1; > > for (i = 0; i < 64; i++) > base64_value[(int) base64_code[i]] = i; > base64_value['='] = 0; > > base64_initialized = 1; > } > > char * > base64_decode(const char *p) > { > static char result[BASE64_RESULT_SZ]; > int j; > int c; > long val; > if (!p) > return NULL; > if (!base64_initialized) > base64_init(); > val = c = 0; > for (j = 0; *p && j + 4 < BASE64_RESULT_SZ; p++) { > unsigned int k = ((unsigned char) *p) % BASE64_VALUE_SZ; > if (base64_value[k] < 0) > continue; > val <<= 6; > val += base64_value[k]; > if (++c < 4) > continue; > /* One quantum of four encoding characters/24 bit */ > result[j++] = val >> 16; /* High 8 bits */ > result[j++] = (val >> 8) & 0xff; /* Mid 8 bits */ > result[j++] = val & 0xff; /* Low 8 bits */ > val = c = 0; > } > result[j] = 0; > return result; > } > > /* adopted from > http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with > adjustments */ > const char * > base64_encode(const char *decoded_str) > { > static char result[BASE64_RESULT_SZ]; > int bits = 0; > int char_count = 0; > int out_cnt = 0; > int c; > > if (!decoded_str) > return decoded_str; > > if (!base64_initialized) > base64_init(); > > while ((c = (unsigned char) *decoded_str++) && out_cnt < sizeof(result) - > 5) { > bits += c; > char_count++; > if (char_count == 3) { > result[out_cnt++] = base64_code[bits >> 18]; > result[out_cnt++] = base64_code[(bits >> 12) & 0x3f]; > result[out_cnt++] = base64_code[(bits >> 6) & 0x3f]; > result[out_cnt++] = base64_code[bits & 0x3f]; > bits = 0; > char_count = 0; > } else { > bits <<= 8; > } > } > if (char_count != 0) { > bits <<= 16 - (8 * char_count); > result[out_cnt++] = base64_code[bits >> 18]; > result[out_cnt++] = base64_code[(bits >> 12) & 0x3f]; > if (char_count == 1) { > result[out_cnt++] = '='; > result[out_cnt++] = '='; > } else { > result[out_cnt++] = base64_code[(bits >> 6) & 0x3f]; > result[out_cnt++] = '='; > } > } > result[out_cnt] = '\0'; /* terminate */ > return result; > } > > /* adopted from > http://ftp.sunet.se/pub2/gnu/vm/base64-encode.c with > adjustments */ > const char * > base64_encode_bin(const char *data, int len) > { > static char result[BASE64_RESULT_SZ]; > int bits = 0; > int char_count = 0; > int out_cnt = 0; > > if (!data) > return data; > > if (!base64_initialized) > base64_init(); > > while (len-- && out_cnt < sizeof(result) - 5) { > int c = (unsigned char) *data++; > bits += c; > char_count++; > if (char_count == 3) { > result[out_cnt++] = base64_code[bits >> 18]; > result[out_cnt++] = base64_code[(bits >> 12) & 0x3f]; > result[out_cnt++] = base64_code[(bits >> 6) & 0x3f]; > result[out_cnt++] = base64_code[bits & 0x3f]; > bits = 0; > char_count = 0; > } else { > bits <<= 8; > } > } > if (char_count != 0) { > bits <<= 16 - (8 * char_count); > result[out_cnt++] = base64_code[bits >> 18]; > result[out_cnt++] = base64_code[(bits >> 12) & 0x3f]; > if (char_count == 1) { > result[out_cnt++] = '='; > result[out_cnt++] = '='; > } else { > result[out_cnt++] = base64_code[(bits >> 6) & 0x3f]; > result[out_cnt++] = '='; > } > } > result[out_cnt] = '\0'; /* terminate */ > return result; > } > const char *squid_kerb_proxy_auth(char* principal_name, char *proxy) { > int rc=0; > OM_uint32 major_status, minor_status; > gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT; > gss_name_t server_name = GSS_C_NO_NAME; > gss_buffer_desc service = GSS_C_EMPTY_BUFFER; > gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; > gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; > const char *token = NULL; > > setbuf(stdout,NULL); > setbuf(stdin,NULL); > > if (!proxy ) { > fprintf(stderr, "%s| %s: Error: No proxy server name\n", LogTime(), > PROGRAM); > return NULL; > } > > service.value = malloc(strlen("HTTP")+strlen(proxy)+2); > snprintf(service.value,strlen("HTTP")+strlen(proxy)+2,"%s@%s","HTTP",proxy); > service.length = strlen((char *)service.value); > > major_status = gss_import_name(&minor_status, &service, > gss_nt_service_name, &server_name); > > if > (check_gss_err(major_status,minor_status,"gss_import_name()") > ) > goto cleanup; > > major_status = gss_init_sec_context(&minor_status, > GSS_C_NO_CREDENTIAL, > &gss_context, > server_name, > #ifdef HAVE_SPNEGO > gss_mech_spnego, > #else > 0, > #endif > 0, > 0, > GSS_C_NO_CHANNEL_BINDINGS, > &input_token, > NULL, > &output_token, > NULL, > NULL); > > if > (check_gss_err(major_status,minor_status,"gss_init_sec_context()") > ) > goto cleanup; > > if (output_token.length) { > > token = (const char*)base64_encode_bin((const > char*)output_token.value,output_token.length); > } > > > cleanup: > gss_delete_sec_context(&minor_status, &gss_context, NULL); > gss_release_buffer(&minor_status, &service); > gss_release_buffer(&minor_status, &input_token); > gss_release_buffer(&minor_status, &output_token); > gss_release_name(&minor_status, &server_name); > > return token; > } > > int main(int argc, char *argv[]) { > > const char *Token; > > if (argc < 1) { > fprintf(stderr, "%s| %s: Error: No proxy server name given\n", > LogTime(), PROGRAM); > exit(99); > } > Token = (const char *)squid_kerb_proxy_auth(NULL,argv[1]); > fprintf(stdout,"Token: %s\n",Token?Token:"NULL"); > > exit(0); > } > > > > > > > > "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message > news:g2c9kv$5vc$1@xxxxxxxxxxxxxxxx > > > I can create a simple test tool to create blobs. I will post it later next > week. > > > > Markus > > > > "Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx> wrote in message > news:1212619464.15703.1.camel@xxxxxxxxxxxxxxxxxxxxxx > > > > > On ons, 2008-06-04 at 15:41 -0700, Alex Morken wrote: > > > > > > > > > > Thank you Henrik. I kind of figured it needed something else, but I > > > > wasn't sure what to put there. Where can I get or generate the > > > > Kerberos GSSAPI blob I need for the input? I have been digging > > > > around kerberos docs and haven't found what I needed. > > > > > > > > > > Not sure. It's a kerberos authentication handshake, and initially > > > depends on a challenge sent by the helper... > > > > > > Regards > > > Henrik > > > > > > > > > > > > > > > > > > > >
