| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
By setting closewait to 0 after waitpid we would loop forever not the max 10
times we intended to.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
When using remote credentials, intercept set_cred_option calls and
register an option into the existing set of crdentials with the
request to set allowed entypes at the first use of said crdentials.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The krb5 mechanism has a non standard extention to allow setting a list
of allowed enctypes to use with a particular set of crdentials.
This patch adds an extension, registerd by a client as a gssx_cred's
option, so that at the first use of this crdentials the proxy can try
to set the requsted options.
For now failure to set the option is only logged in debug mode and
the operation to import credentials does not fail if the allowed
enctypes cannot be set.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The krb5 mechanism supports multiple oids for historical reasons.
Add a function to generically check if a mech oid is any of the krb5
mechanism known oids for functions that do not care which exact oid is
being used of the krb5 family.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add %U support which will insert the user uid number instead of name.
Fix %% support by actually removing one of the % charcters
Fix %<invalid> sequence by actually bailing out if one is found.
Add GPDEBUG statements to indicate what went wrong.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Adds options to set a sepcific proxy behavior for both the client and
the server subprocesses by setting the GSSPROXY_BEHAVIOR environment
variable after forking.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
| |
We need to do the wrapping in order to get back an actual local context.
Otherwise we get back an interposed context from gssapi.
|
| |
|
|
| |
Wrap the token in a helper function so that the code can be reused elsewhere.
|
| |
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| | |
|
| |
|
|
|
|
|
| |
The kernel uses the fixed path named /var/run/gssproxy.sock
Make this default a configure time option and default to it.
Also remove the option to change the socket at configure time,
neither the kernel nor proxymech.so can cope with a change anyway.
|
| |
|
|
|
|
|
|
| |
The Linux kernel now requires the gss-proxy to signal when it is available.
This is done by writing 1 to the file /proc/net/rpc/use-gss-proxy
Once this happens the kernel will try to attach to the gss-proxy socket
and use it instead of the classic rpc.svcgssd daemon.
|
| |
|
|
|
| |
This file is generated by gssproxy.service.in so keep only the source in
git.
|
| |
|
|
|
|
| |
lifetime is alredy returned as remaining seconds of lifetime.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
Use spmech->length as we are replacing the original oid with spmech.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
This is enabled via --with-gssidebug.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
Add code to print the name of tehe GSSX function being executed.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| | |
|
| |
|
|
|
| |
This avoids issues with libraris like libtirpc as gssrpc renames all the
symbols to avoid clashes with system libraries.
|
| |
|
|
| |
This is needed because gssrpc doesn't have one.
|
| |
|
|
|
| |
These includes are necessary when switching to gssrpc because they
are not automatically dragged in via dependencies in system rpc.h
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
The file is not installed automatically yet.
|
| |
|
|
|
|
| |
The variable _GSSPROXY_LOOPS has been changed in favor of GSS_USE_PROXY. From
now on, applications needs to explicitly enable the usage of the gssproxy
interposer inception.
|
| |
|
|
| |
This will set us on course for a 0.1.0 release.
|
| | |
|
| |
|
|
|
|
|
| |
This allows us to remove the ring_buffer hack and become completely
stateless as well as remove a possible DoS avenue.
R.I.P. Ring Buffer :-)
|
| |
|
|
| |
Acked-by: Simo Sorce <simo@redhat.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Make sure to return success in gp_conv_name_to_gssx() at that point.
|
| | |
|
| | |
|
| |
|
|
| |
Acked-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
| |
Acked-by: Simo Sorce <simo@redhat.com>
|
| | |
|
| | |
|
