summaryrefslogtreecommitdiffstats
path: root/proxy/src/gp_proxy.h
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2016-11-30 09:06:33 -0500
committerSimo Sorce <simo@redhat.com>2017-01-13 15:50:06 -0500
commit2d49ba029e5b0fdaa4bafc3d5bca0cb1169c9877 (patch)
tree0eda5a7654de058300d3cbf642b60c3819c4e141 /proxy/src/gp_proxy.h
parent56d2a3119c4713fbfabf98b0afc0882d64324166 (diff)
Use a local keytab for creds encryption
If available use a keytab for creds encryption. Since now we can store encrypted credentials, on the cient side, for later reuse, it is better to be able to decrypt them even after a gssproxy daemon restart (maintenance, crashes, etc..) If a keytab is rotated this can cause a restarted gssproxy to fail to decrypt stored credentials, but in that case those credentials are also probably useless and need to be refreshed, so this is not a huge deal, and definitely better than the status quo. Signed-off-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'proxy/src/gp_proxy.h')
-rw-r--r--proxy/src/gp_proxy.h11
1 files changed, 6 insertions, 5 deletions
diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h
index be71d38..c7f4bb2 100644
--- a/proxy/src/gp_proxy.h
+++ b/proxy/src/gp_proxy.h
@@ -17,14 +17,15 @@
#define GP_CRED_KRB5 0x01
+struct gp_creds_handle;
+
struct gp_cred_krb5 {
char *principal;
const char **cred_store;
int cred_count;
+ struct gp_creds_handle *creds_handle;
};
-struct gp_creds_handle;
-
struct gp_service {
char *name;
uid_t euid;
@@ -41,8 +42,6 @@ struct gp_service {
uint32_t mechs;
struct gp_cred_krb5 krb5;
- struct gp_creds_handle *creds_handle;
-
verto_ev *ev;
};
@@ -127,7 +126,9 @@ struct gp_service *gp_creds_match_conn(struct gssproxy_ctx *gpctx,
struct gp_conn *conn);
/* from gp_export.c */
-uint32_t gp_init_creds_handle(uint32_t *min, struct gp_creds_handle **out);
+uint32_t gp_init_creds_handle(uint32_t *min, const char *svc_name,
+ const char *keytab,
+ struct gp_creds_handle **out);
void gp_free_creds_handle(struct gp_creds_handle **in);
#endif /* _GP_PROXY_H_ */