diff options
| author | Kevin Coffman <kwc@citi.umich.edu> | 2011-04-06 11:25:03 -0400 |
|---|---|---|
| committer | Steve Dickson <steved@redhat.com> | 2011-04-06 11:30:02 -0400 |
| commit | d6c1b35c6b40243bfd6fba2591c9f8f2653078c0 (patch) | |
| tree | 247e6c2bb3a0c99003c7c006ca15cc28b3a3ffe2 /utils/gssd/gss_util.c | |
| parent | 73840ef610accf4cf667427bc64805377c0d8394 (diff) | |
| download | nfs-utils-d6c1b35c6b40243bfd6fba2591c9f8f2653078c0.tar.gz nfs-utils-d6c1b35c6b40243bfd6fba2591c9f8f2653078c0.tar.xz nfs-utils-d6c1b35c6b40243bfd6fba2591c9f8f2653078c0.zip | |
nfs-utils: Add support to svcgssd to limit the negotiated enctypes
Recent versions of Kerberos libraries negotiate and use
an "acceptor subkey". This negotiation does not consider
that a service may have limited the encryption keys in its
keytab. A patch (http://src.mit.edu/fisheye/changelog/krb5/?cs=24603)
has been added to the MIT Kerberos code to allow an application
to indicate that it wants to limit the encryption types negotiated.
(This functionality has been available on the client/initiator
side for a while. The new patch adds this support to the
server/acceptor side.)
This patch adds support to read a recently added nfsd
proc file to determine the encryption types supported by
the kernel and calls the function to limit encryption
types negotiated for the acceptor subkey.
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat (limited to 'utils/gssd/gss_util.c')
| -rw-r--r-- | utils/gssd/gss_util.c | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/utils/gssd/gss_util.c b/utils/gssd/gss_util.c index ee304cc..ca27d61 100644 --- a/utils/gssd/gss_util.c +++ b/utils/gssd/gss_util.c @@ -276,20 +276,25 @@ gssd_acquire_cred(char *server_name, const gss_OID oid) u_int32_t ignore_maj_stat, ignore_min_stat; gss_buffer_desc pbuf; - name.value = (void *)server_name; - name.length = strlen(server_name); + /* If server_name is NULL, get cred for GSS_C_NO_NAME */ + if (server_name == NULL) { + target_name = GSS_C_NO_NAME; + } else { + name.value = (void *)server_name; + name.length = strlen(server_name); - maj_stat = gss_import_name(&min_stat, &name, - oid, - &target_name); + maj_stat = gss_import_name(&min_stat, &name, + oid, + &target_name); - if (maj_stat != GSS_S_COMPLETE) { - pgsserr("gss_import_name", maj_stat, min_stat, g_mechOid); - return (FALSE); + if (maj_stat != GSS_S_COMPLETE) { + pgsserr("gss_import_name", maj_stat, min_stat, g_mechOid); + return (FALSE); + } } - maj_stat = gss_acquire_cred(&min_stat, target_name, 0, - GSS_C_NULL_OID_SET, GSS_C_ACCEPT, + maj_stat = gss_acquire_cred(&min_stat, target_name, GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, GSS_C_ACCEPT, &gssd_creds, NULL, NULL); if (maj_stat != GSS_S_COMPLETE) { |