diff options
| author | Olga Kornievskaia <aglo@citi.umich.edu> | 2009-11-16 09:27:22 -0500 |
|---|---|---|
| committer | Steve Dickson <steved@redhat.com> | 2009-11-16 09:27:22 -0500 |
| commit | 421406ee159fa27cca1a150600cfc321bbbe33f5 (patch) | |
| tree | 8eedd37494cc78c1d19cf8f6b6c46add5b621ea7 /utils/gssd/gssd_proc.c | |
| parent | 0cfdc66de043a89d2ae2167a624e7d0b56c122eb (diff) | |
| download | nfs-utils-421406ee159fa27cca1a150600cfc321bbbe33f5.tar.gz nfs-utils-421406ee159fa27cca1a150600cfc321bbbe33f5.tar.xz nfs-utils-421406ee159fa27cca1a150600cfc321bbbe33f5.zip | |
gssd: process target= attribute in new upcall
Add processing of the "target=" attribute in the new gssd upcall.
Information in this field is used to construct the gss service name
of the server for which gssd will create a context .
This, along with the next patch handling "service=", is needed
for callback security.
For Kerberos, the NFS client will use a service principal present
in its keytab during authentication of the SETCLIENT_ID operation.
When establishing the context for the callback, the gssd on the
NFS server will attempt to authenticate the callback against the
principal name used by the client.
Note: An NFS client machine must have a keytab for the callback
authentication to succeed.
Signed-off-by: Olga Kornievskaia <aglo@citi.umich.edu>
Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
Diffstat (limited to 'utils/gssd/gssd_proc.c')
| -rw-r--r-- | utils/gssd/gssd_proc.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/utils/gssd/gssd_proc.c b/utils/gssd/gssd_proc.c index 5897ae6..799a207 100644 --- a/utils/gssd/gssd_proc.c +++ b/utils/gssd/gssd_proc.c @@ -883,7 +883,7 @@ int create_auth_rpc_client(struct clnt_info *clp, * context on behalf of the kernel */ static void -process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd) +process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd, char *tgtname) { CLIENT *rpc_clnt = NULL; AUTH *auth = NULL; @@ -896,6 +896,12 @@ process_krb5_upcall(struct clnt_info *clp, uid_t uid, int fd) printerr(1, "handling krb5 upcall (%s)\n", clp->dirname); + if (tgtname) { + if (clp->servicename) { + free(clp->servicename); + clp->servicename = strdup(tgtname); + } + } token.length = 0; token.value = NULL; memset(&pd, 0, sizeof(struct authgss_private_data)); @@ -1060,7 +1066,7 @@ handle_krb5_upcall(struct clnt_info *clp) return; } - return process_krb5_upcall(clp, uid, clp->krb5_fd); + return process_krb5_upcall(clp, uid, clp->krb5_fd, NULL); } void @@ -1085,6 +1091,7 @@ handle_gssd_upcall(struct clnt_info *clp) int lbuflen = 0; char *p; char *mech = NULL; + char *target = NULL; printerr(1, "handling gssd upcall (%s)\n", clp->dirname); @@ -1128,9 +1135,21 @@ handle_gssd_upcall(struct clnt_info *clp) goto out; } + /* read target name */ + if ((p = strstr(lbuf, "target=")) != NULL) { + target = malloc(lbuflen); + if (!target) + goto out; + if (sscanf(p, "target=%s", target) != 1) { + printerr(0, "WARNING: handle_gssd_upcall: " + "failed to parse target name " + "in upcall string '%s'\n", lbuf); + goto out; + } + } if (strcmp(mech, "krb5") == 0) - process_krb5_upcall(clp, uid, clp->gssd_fd); + process_krb5_upcall(clp, uid, clp->gssd_fd, target); else if (strcmp(mech, "spkm3") == 0) process_spkm3_upcall(clp, uid, clp->gssd_fd); else @@ -1140,6 +1159,7 @@ handle_gssd_upcall(struct clnt_info *clp) out: free(lbuf); free(mech); + free(target); return; } |