diff options
author | Simo Sorce <simo@redhat.com> | 2013-03-28 23:48:52 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2013-04-05 18:39:10 -0400 |
commit | 91932e239e8759f921897f1ff536742290b79586 (patch) | |
tree | a96cd1dbd9e0b33c3241e98d10644a851a952571 | |
parent | 4a918dcd6715d2aefa33daa451e5ecd0c1923846 (diff) | |
download | nfs-utils-gss-proxy-mods.tar.gz nfs-utils-gss-proxy-mods.tar.xz nfs-utils-gss-proxy-mods.zip |
Allow GSSAPI to try to acquire credentials first.gss-proxy-mods
GSSAPI can be given a uid number as a special name, and then
gss_acquire_cred() can use the name to try to find credentials for
the user.
Give GSSAPI a chance to do it on its own, then fallback to the classic
method of trolling through the file system to find a credential cache.
-rw-r--r-- | utils/gssd/gssd_proc.c | 22 | ||||
-rw-r--r-- | utils/gssd/krb5_util.c | 77 | ||||
-rw-r--r-- | utils/gssd/krb5_util.h | 2 |
3 files changed, 75 insertions, 26 deletions
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index b123978..afc2076 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -817,7 +817,8 @@ create_auth_rpc_client(struct clnt_info *clp, CLIENT **clnt_return, AUTH **auth_return, uid_t uid, - int authtype) + int authtype, + gss_cred_id_t cred) { CLIENT *rpc_clnt = NULL; struct rpc_gss_sec sec; @@ -843,7 +844,7 @@ create_auth_rpc_client(struct clnt_info *clp, sec.qop = GSS_C_QOP_DEFAULT; sec.svc = RPCSEC_GSS_SVC_NONE; - sec.cred = GSS_C_NO_CREDENTIAL; + sec.cred = cred; sec.req_flags = 0; if (authtype == AUTHTYPE_KRB5) { sec.mech = (gss_OID)&krb5oid; @@ -968,6 +969,7 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, char **dirname; int create_resp = -1; int err, downcall_err = -EACCES; + gss_cred_id_t gss_cred; OM_uint32 maj_stat, min_stat, lifetime_rec; printerr(1, "handling krb5 upcall (%s)\n", clp->dirname); @@ -1002,15 +1004,20 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, if (uid != 0 || (uid == 0 && root_uses_machine_creds == 0 && service == NULL)) { /* Tell krb5 gss which credentials cache to use */ - for (dirname = ccachesearch; *dirname != NULL; dirname++) { + /* Try first to acquire credentials directly via GSSAPI */ + err = gssd_acquire_user_cred(uid, &gss_cred); + if (!err) + create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, + AUTHTYPE_KRB5, gss_cred); + /* if create_auth_rplc_client fails try the traditional method of + * trolling for credentials */ + for (dirname = ccachesearch; create_resp != 0 && *dirname != NULL; dirname++) { err = gssd_setup_krb5_user_gss_ccache(uid, clp->servername, *dirname); if (err == -EKEYEXPIRED) downcall_err = -EKEYEXPIRED; else if (!err) create_resp = create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, - AUTHTYPE_KRB5); - if (create_resp == 0) - break; + AUTHTYPE_KRB5, GSS_C_NO_CREDENTIAL); } } if (create_resp != 0) { @@ -1036,7 +1043,8 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname, gssd_setup_krb5_machine_gss_ccache(*ccname); if ((create_auth_rpc_client(clp, &rpc_clnt, &auth, uid, - AUTHTYPE_KRB5)) == 0) { + AUTHTYPE_KRB5, + GSS_C_NO_CREDENTIAL)) == 0) { /* Success! */ success++; break; diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c index 20b55b3..6275dd8 100644 --- a/utils/gssd/krb5_util.c +++ b/utils/gssd/krb5_util.c @@ -1350,6 +1350,57 @@ gssd_k5_get_default_realm(char **def_realm) krb5_free_context(context); } +static int +gssd_acquire_krb5_cred(gss_name_t name, gss_cred_id_t *gss_cred) +{ + OM_uint32 maj_stat, min_stat; + gss_OID_set_desc desired_mechs = { 1, &krb5oid }; + + maj_stat = gss_acquire_cred(&min_stat, name, GSS_C_INDEFINITE, + &desired_mechs, GSS_C_INITIATE, + gss_cred, NULL, NULL); + + if (maj_stat != GSS_S_COMPLETE) { + if (get_verbosity() > 0) + pgsserr("gss_acquire_cred", + maj_stat, min_stat, &krb5oid); + return -1; + } + + return 0; +} + +int +gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred) +{ + OM_uint32 maj_stat, min_stat; + gss_buffer_desc name_buf; + gss_name_t name; + char buf[11]; + int ret; + + ret = snprintf(buf, 11, "%u", uid); + if (ret < 1 || ret > 10) { + return -1; + } + name_buf.value = buf; + name_buf.length = ret + 1; + + maj_stat = gss_import_name(&min_stat, &name_buf, + GSS_C_NT_STRING_UID_NAME, &name); + if (maj_stat != GSS_S_COMPLETE) { + if (get_verbosity() > 0) + pgsserr("gss_import_name", + maj_stat, min_stat, &krb5oid); + return -1; + } + + ret = gssd_acquire_krb5_cred(name, gss_cred); + + maj_stat = gss_release_name(&min_stat, &name); + return ret; +} + #ifdef HAVE_SET_ALLOWABLE_ENCTYPES /* * this routine obtains a credentials handle via gss_acquire_cred() @@ -1368,28 +1419,18 @@ int limit_krb5_enctypes(struct rpc_gss_sec *sec) { u_int maj_stat, min_stat; - gss_cred_id_t credh; - gss_OID_set_desc desired_mechs; krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4 }; int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]); extern int num_krb5_enctypes; extern krb5_enctype *krb5_enctypes; + int err = -1; - /* We only care about getting a krb5 cred */ - desired_mechs.count = 1; - desired_mechs.elements = &krb5oid; - - maj_stat = gss_acquire_cred(&min_stat, NULL, 0, - &desired_mechs, GSS_C_INITIATE, - &credh, NULL, NULL); - - if (maj_stat != GSS_S_COMPLETE) { - if (get_verbosity() > 0) - pgsserr("gss_acquire_cred", - maj_stat, min_stat, &krb5oid); - return -1; + if (sec->cred == GSS_C_NO_CREDENTIAL) { + err = gssd_acquire_krb5_cred(GSS_C_NO_NAME, &sec->cred); + if (err) + return -1; } /* @@ -1397,19 +1438,17 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec) * list of supported enctypes, use local default here. */ if (krb5_enctypes == NULL || limit_to_legacy_enctypes) - maj_stat = gss_set_allowable_enctypes(&min_stat, credh, + maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred, &krb5oid, num_enctypes, enctypes); else - maj_stat = gss_set_allowable_enctypes(&min_stat, credh, + maj_stat = gss_set_allowable_enctypes(&min_stat, sec->cred, &krb5oid, num_krb5_enctypes, krb5_enctypes); if (maj_stat != GSS_S_COMPLETE) { pgsserr("gss_set_allowable_enctypes", maj_stat, min_stat, &krb5oid); - gss_release_cred(&min_stat, &credh); return -1; } - sec->cred = credh; return 0; } diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h index 9f41625..eed1294 100644 --- a/utils/gssd/krb5_util.h +++ b/utils/gssd/krb5_util.h @@ -36,6 +36,8 @@ int gssd_refresh_krb5_machine_credential(char *hostname, char *gssd_k5_err_msg(krb5_context context, krb5_error_code code); void gssd_k5_get_default_realm(char **def_realm); +int gssd_acquire_user_cred(uid_t uid, gss_cred_id_t *gss_cred); + #ifdef HAVE_SET_ALLOWABLE_ENCTYPES extern int limit_to_legacy_enctypes; int limit_krb5_enctypes(struct rpc_gss_sec *sec); |