The default expiration of kernel gss contexts is the expiration

of the Kerberos ticket used in its creation.  (For contexts
created using the Kerberos mechanism.)  Thus kdestroy has
no effect in nullifying the kernel context.

This patch adds -t <timeout> option to rpc.gssd so that the client's
administrator may specify a timeout for expiration of contexts in kernel.
After this timeout, rpc.gssd is consulted to create a new context.

By default, timeout is 0 (i.e., no timeout at all) which follows the
previous behavior.

Signed-off-by: Lukas Hejtmanek <xhejtman@ics.muni.cz>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>

1 files changed, 6 insertions, 2 deletions

diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
index e8612a5..2e6f316 100644
--- a/utils/gssd/gssd.c
+++ b/utils/gssd/gssd.c
@@ -60,6 +60,7 @@ char ccachedir[PATH_MAX] = GSSD_DEFAULT_CRED_DIR;
 char *ccachesearch[GSSD_MAX_CCACHE_SEARCH + 1];
 int  use_memcache = 0;
 int  root_uses_machine_creds = 1;
+unsigned int  context_timeout = 0;
 
 void
 sig_die(int signal)
@@ -82,7 +83,7 @@ sig_hup(int signal)
 static void
 usage(char *progname)
 {
-	fprintf(stderr, "usage: %s [-f] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir]\n",
+	fprintf(stderr, "usage: %s [-f] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout]\n",
 		progname);
 	exit(1);
 }
@@ -99,7 +100,7 @@ main(int argc, char *argv[])
 	char *progname;
 
 	memset(ccachesearch, 0, sizeof(ccachesearch));
-	while ((opt = getopt(argc, argv, "fvrmnMp:k:d:")) != -1) {
+	while ((opt = getopt(argc, argv, "fvrmnMp:k:d:t:")) != -1) {
 		switch (opt) {
 			case 'f':
 				fg = 1;
@@ -134,6 +135,9 @@ main(int argc, char *argv[])
 				if (ccachedir[sizeof(ccachedir)-1] != '\0')
 					errx(1, "ccachedir path name too long");
 				break;
+			case 't':
+				context_timeout = atoi(optarg);
+				break;
 			default:
 				usage(argv[0]);
 				break;