Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[dev.icinga.com #10506] HTTP basic auth request is sent when using Kerberos authentication with Apache2 and mod_php #2116

Closed
icinga-migration opened this issue Oct 31, 2015 · 3 comments
Labels
area/authentication Affects user authentication or authorization bug Something isn't working
Milestone

Comments

@icinga-migration
Copy link

This issue has been migrated from Redmine: https://dev.icinga.com/issues/10506

Created by julianbrost on 2015-10-31 17:06:31 +00:00

Assignee: aklimov
Status: Resolved (closed on 2016-02-15 09:40:03 +00:00)
Target Version: 2.2.0
Last Update: 2016-02-15 09:40:03 +00:00 (in Redmine)


The authHttp() method in library/Icinga/Authentication/Auth.php causes Icinga Web 2 to send HTTP basic auth requests when the user was already successfully authenticated by the webserver via Kerberos as it can be seen in the following curl output:

$ curl -v --negotiate -u : http://[monitoringhost]/icingaweb2/
*   Trying [address]...
* Connected to [monitoringhost] ([address]) port 80 (#0)
> GET /icingaweb2/ HTTP/1.1
> Host: [monitoringhost]
> User-Agent: curl/7.45.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Wed, 28 Oct 2015 07:42:35 GMT
< Server: Apache/2.4.10 (Debian)
< WWW-Authenticate: Negotiate
< Content-Length: 482
< Content-Type: text/html; charset=iso-8859-1
< 
* Ignoring the response-body
* Connection #0 to host [monitoringhost] left intact
* Issue another request to this URL: 'http://[monitoringhost]/icingaweb2/'
* Found bundle for host [monitoringhost]: 0xaf86b0
* Re-using existing connection! (#0) with host [monitoringhost]
* Connected to [monitoringhost] ([address]) port 80 (#0)
* Server auth using Negotiate with user ''
> GET /icingaweb2/ HTTP/1.1
> Host: [monitoringhost]
> Authorization: Negotiate [...base64...]
> User-Agent: curl/7.45.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Wed, 28 Oct 2015 07:42:35 GMT
< Server: Apache/2.4.10 (Debian)
< WWW-Authenticate: Negotiate [...base64...]
< WWW-Authenticate: Negotiate [...base64...]
< Www-Authenticate: Basic realm="Icinga Web 2"
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host [monitoringhost] left intactct

Notice this header which is sent by authHttp() calling challengeHttp():

< Www-Authenticate: Basic realm="Icinga Web 2"

This makes Icinga Web 2 completely unusable as I don't know any browser that handles this properly (Firefox will just send requests in an endless loop) and even if, there are no valid login credentials for this request. Icinga Web 2 was not yet configured at that point.

Configuration for Apache (it's basically the configuration from the debmon.org icingaweb2 package with some additional lines for Kerberos):

KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbDelegateBasic Off
Krb5Keytab /etc/apache2/krb5.keytab

Alias /icingaweb2 "/usr/share/icingaweb2/public"


    Options SymLinksIfOwnerMatch
    AllowOverride None

    AuthType Kerberos
    AuthName "Kerberos"
    Require unix-group staff

    SetEnv ICINGAWEB_CONFIGDIR "/etc/icingaweb2"

    EnableSendfile Off

    
        RewriteEngine on
        RewriteBase /icingaweb2/
        RewriteCond %{REQUEST_FILENAME} -s [OR]
        RewriteCond %{REQUEST_FILENAME} -l [OR]
        RewriteCond %{REQUEST_FILENAME} -d
        RewriteRule ^.*$ - [NC,L]
        RewriteRule ^.*$ index.php [NC,L]
    

    
        DirectoryIndex error_norewrite.html
        ErrorDocument 404 /error_norewrite.html

Replacing the code of authHttp() with just return false; is a quick workaround and makes Icinga Web 2 usable in my setup. But I don't know what a proper patch would look like as I don't understand why this method is invoked at all. Icinga Web 2 shouldn't care about HTTP basic authentication at all unless configured explicitly to do so.

Unfortunately reproducing this isn't simple, as it needs a working Kerberos realm, but it should be possible to solve this issue only with the curl output above. I can also test patches if needed.

Changesets

2016-02-15 09:39:18 +00:00 by aklimov 4c97fb7

Don't request basic auth if auth scheme isn't basic

fixes #10506
@icinga-migration
Copy link
Author

Updated by julianbrost on 2015-11-03 13:26:20 +00:00

Just checked again after configuring Web 2: Now it works without any modifications to the source code, authHttp() doesn't even seem to be called. Thus it looks like this problem only exists when Web 2 is unconfigured.

@icinga-migration
Copy link
Author

Updated by aklimov on 2016-02-15 09:37:44 +00:00

  • Status changed from New to Assigned
  • Assigned to set to aklimov
  • Target Version set to 2.2.0

@icinga-migration
Copy link
Author

Updated by aklimov on 2016-02-15 09:40:03 +00:00

  • Status changed from Assigned to Resolved
  • Done % changed from 0 to 100

Applied in changeset 4c97fb7.

@icinga-migration icinga-migration added bug Something isn't working area/authentication Affects user authentication or authorization labels Jan 17, 2017
@icinga-migration icinga-migration added this to the 2.2.0 milestone Jan 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/authentication Affects user authentication or authorization bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant