Use a local keytab for creds encryption

If available use a keytab for creds encryption.
Since now we can store encrypted credentials, on the cient side, for later
reuse, it is better to be able to decrypt them even after a gssproxy daemon
restart (maintenance, crashes, etc..)
If a keytab is rotated this can cause a restarted gssproxy to fail to decrypt
stored credentials, but in that case those credentials are also probably
useless and need to be refreshed, so this is not a huge deal, and definitely
better than the status quo.

Signed-off-by: Simo Sorce <simo@redhat.com>

1 files changed, 6 insertions, 5 deletions

diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h
index be71d38..c7f4bb2 100644
--- a/proxy/src/gp_proxy.h
+++ b/proxy/src/gp_proxy.h
@@ -17,14 +17,15 @@
 
 #define GP_CRED_KRB5    0x01
 
+struct gp_creds_handle;
+
 struct gp_cred_krb5 {
     char *principal;
     const char **cred_store;
     int cred_count;
+    struct gp_creds_handle *creds_handle;
 };
 
-struct gp_creds_handle;
-
 struct gp_service {
     char *name;
     uid_t euid;
@@ -41,8 +42,6 @@ struct gp_service {
     uint32_t mechs;
     struct gp_cred_krb5 krb5;
 
-    struct gp_creds_handle *creds_handle;
-
     verto_ev *ev;
 };
 
@@ -127,7 +126,9 @@ struct gp_service *gp_creds_match_conn(struct gssproxy_ctx *gpctx,
                                        struct gp_conn *conn);
 
 /* from gp_export.c */
-uint32_t gp_init_creds_handle(uint32_t *min, struct gp_creds_handle **out);
+uint32_t gp_init_creds_handle(uint32_t *min, const char *svc_name,
+                              const char *keytab,
+                              struct gp_creds_handle **out);
 void gp_free_creds_handle(struct gp_creds_handle **in);
 
 #endif /* _GP_PROXY_H_ */