teach gss_acquire_cred_from() about "client_keytab"
- pull in Simo's patch to recognize "client_keytab" as a key type which can be passed in to gss_acquire_cred_from()
This commit is contained in:
parent
30e39857ae
commit
7b92138ee8
131
krb5-1.11-gss-client-keytab.patch
Normal file
131
krb5-1.11-gss-client-keytab.patch
Normal file
@ -0,0 +1,131 @@
|
|||||||
|
Originally http://fedorapeople.org/cgit/simo/public_git/krb5.git/commit/?h=gss_cs&id=a3b9bf20df1d976775ed929d8cb5f4844e03b1bf
|
||||||
|
|
||||||
|
commit a3b9bf20df1d976775ed929d8cb5f4844e03b1bf
|
||||||
|
Author: Simo Sorce <simo@redhat.com>
|
||||||
|
Date: Thu Mar 28 12:53:01 2013 -0400
|
||||||
|
|
||||||
|
Add support for client keytab from cred store
|
||||||
|
|
||||||
|
The new credential store extensions added support for specifying a
|
||||||
|
specific ccache name and also a specific keytab to be used for accepting
|
||||||
|
security contexts, but did not add a way to specify a client keytab
|
||||||
|
to be used in conjunction with the Keytab initiation support added also
|
||||||
|
in 1.11
|
||||||
|
|
||||||
|
This patch introduces a new URN named client_keytab through which a
|
||||||
|
specific client_keytab can be set when calling gss_acquire_cred_from()
|
||||||
|
and Keytab Initiation will use that keytab to initialize credentials.
|
||||||
|
|
||||||
|
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
|
||||||
|
index 4d499e4..8540bf3 100644
|
||||||
|
--- a/src/lib/gssapi/krb5/acquire_cred.c
|
||||||
|
+++ b/src/lib/gssapi/krb5/acquire_cred.c
|
||||||
|
@@ -636,6 +636,7 @@ acquire_init_cred(krb5_context context,
|
||||||
|
OM_uint32 *minor_status,
|
||||||
|
krb5_ccache req_ccache,
|
||||||
|
gss_buffer_t password,
|
||||||
|
+ krb5_keytab client_keytab,
|
||||||
|
krb5_gss_cred_id_rec *cred)
|
||||||
|
{
|
||||||
|
krb5_error_code code;
|
||||||
|
@@ -659,9 +660,13 @@ acquire_init_cred(krb5_context context,
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
- code = krb5_kt_client_default(context, &cred->client_keytab);
|
||||||
|
- if (code)
|
||||||
|
- goto error;
|
||||||
|
+ if (client_keytab != NULL)
|
||||||
|
+ cred->client_keytab = client_keytab;
|
||||||
|
+ else {
|
||||||
|
+ code = krb5_kt_client_default(context, &cred->client_keytab);
|
||||||
|
+ if (code)
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (password != GSS_C_NO_BUFFER) {
|
||||||
|
pwdata = make_data(password->value, password->length);
|
||||||
|
@@ -719,8 +724,9 @@ static OM_uint32
|
||||||
|
acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
|
||||||
|
gss_name_t desired_name, gss_buffer_t password,
|
||||||
|
OM_uint32 time_req, gss_cred_usage_t cred_usage,
|
||||||
|
- krb5_ccache ccache, krb5_keytab keytab,
|
||||||
|
- krb5_boolean iakerb, gss_cred_id_t *output_cred_handle,
|
||||||
|
+ krb5_ccache ccache, krb5_keytab client_keytab,
|
||||||
|
+ krb5_keytab keytab, krb5_boolean iakerb,
|
||||||
|
+ gss_cred_id_t *output_cred_handle,
|
||||||
|
OM_uint32 *time_rec)
|
||||||
|
{
|
||||||
|
krb5_gss_cred_id_t cred = NULL;
|
||||||
|
@@ -787,7 +793,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
|
||||||
|
* in cred->name if it wasn't set above.
|
||||||
|
*/
|
||||||
|
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
|
||||||
|
- ret = acquire_init_cred(context, minor_status, ccache, password, cred);
|
||||||
|
+ ret = acquire_init_cred(context, minor_status, ccache, password,
|
||||||
|
+ client_keytab, cred);
|
||||||
|
if (ret != GSS_S_COMPLETE)
|
||||||
|
goto error_out;
|
||||||
|
}
|
||||||
|
@@ -864,8 +871,8 @@ acquire_cred(OM_uint32 *minor_status, gss_name_t desired_name,
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = acquire_cred_context(context, minor_status, desired_name, password,
|
||||||
|
- time_req, cred_usage, ccache, keytab, iakerb,
|
||||||
|
- output_cred_handle, time_rec);
|
||||||
|
+ time_req, cred_usage, ccache, NULL, keytab,
|
||||||
|
+ iakerb, output_cred_handle, time_rec);
|
||||||
|
|
||||||
|
out:
|
||||||
|
krb5_free_context(context);
|
||||||
|
@@ -1130,6 +1137,7 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,
|
||||||
|
{
|
||||||
|
krb5_context context = NULL;
|
||||||
|
krb5_error_code code = 0;
|
||||||
|
+ krb5_keytab client_keytab = NULL;
|
||||||
|
krb5_keytab keytab = NULL;
|
||||||
|
krb5_ccache ccache = NULL;
|
||||||
|
const char *value;
|
||||||
|
@@ -1162,6 +1170,19 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ ret = kg_value_from_cred_store(cred_store, KRB5_CS_CLI_KEYTAB_URN, &value);
|
||||||
|
+ if (GSS_ERROR(ret))
|
||||||
|
+ goto out;
|
||||||
|
+
|
||||||
|
+ if (value) {
|
||||||
|
+ code = krb5_kt_resolve(context, value, &client_keytab);
|
||||||
|
+ if (code != 0) {
|
||||||
|
+ *minor_status = code;
|
||||||
|
+ ret = GSS_S_CRED_UNAVAIL;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ret = kg_value_from_cred_store(cred_store, KRB5_CS_KEYTAB_URN, &value);
|
||||||
|
if (GSS_ERROR(ret))
|
||||||
|
goto out;
|
||||||
|
@@ -1176,8 +1197,8 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = acquire_cred_context(context, minor_status, desired_name, NULL,
|
||||||
|
- time_req, cred_usage, ccache, keytab, 0,
|
||||||
|
- output_cred_handle, time_rec);
|
||||||
|
+ time_req, cred_usage, ccache, client_keytab,
|
||||||
|
+ keytab, 0, output_cred_handle, time_rec);
|
||||||
|
|
||||||
|
out:
|
||||||
|
if (ccache != NULL)
|
||||||
|
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||||
|
index 8215b10..310ff58 100644
|
||||||
|
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||||
|
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
|
||||||
|
@@ -1227,6 +1227,7 @@ data_to_gss(krb5_data *input_k5data, gss_buffer_t output_buffer)
|
||||||
|
|
||||||
|
/* Credential store extensions */
|
||||||
|
|
||||||
|
+#define KRB5_CS_CLI_KEYTAB_URN "client_keytab"
|
||||||
|
#define KRB5_CS_KEYTAB_URN "keytab"
|
||||||
|
#define KRB5_CS_CCACHE_URN "ccache"
|
||||||
|
|
@ -76,6 +76,7 @@ Patch113: krb5-1.11-alpha1-init.patch
|
|||||||
Patch114: krb5-lookup_etypes-leak.patch
|
Patch114: krb5-lookup_etypes-leak.patch
|
||||||
Patch115: krb5-1.11.1-interposers.patch
|
Patch115: krb5-1.11.1-interposers.patch
|
||||||
Patch116: http://ausil.fedorapeople.org/aarch64/krb5/krb5-aarch64.patch
|
Patch116: http://ausil.fedorapeople.org/aarch64/krb5/krb5-aarch64.patch
|
||||||
|
Patch117: krb5-1.11-gss-client-keytab.patch
|
||||||
|
|
||||||
Patch201: 0001-add-libk5radius.patch
|
Patch201: 0001-add-libk5radius.patch
|
||||||
Patch202: 0002-Add-internal-KDC_DIR-macro.patch
|
Patch202: 0002-Add-internal-KDC_DIR-macro.patch
|
||||||
@ -294,6 +295,7 @@ ln -s NOTICE LICENSE
|
|||||||
%patch114 -p1 -b .lookup_etypes-leak
|
%patch114 -p1 -b .lookup_etypes-leak
|
||||||
%patch115 -p1 -b .interposers
|
%patch115 -p1 -b .interposers
|
||||||
%patch116 -p1 -b .aarch64
|
%patch116 -p1 -b .aarch64
|
||||||
|
%patch117 -p1 -b .gss-client-keytab
|
||||||
|
|
||||||
%patch201 -p1 -b .add-libk5radius
|
%patch201 -p1 -b .add-libk5radius
|
||||||
%patch202 -p1 -b .add-internal-kdc_dir
|
%patch202 -p1 -b .add-internal-kdc_dir
|
||||||
@ -819,6 +821,8 @@ exit 0
|
|||||||
since that's what the libraries actually look for
|
since that's what the libraries actually look for
|
||||||
- add buildrequires on nss-myhostname, in an attempt to get more of the tests
|
- add buildrequires on nss-myhostname, in an attempt to get more of the tests
|
||||||
to run properly during builds
|
to run properly during builds
|
||||||
|
- pull in Simo's patch to recognize "client_keytab" as a key type which can
|
||||||
|
be passed in to gss_acquire_cred_from()
|
||||||
|
|
||||||
* Tue Mar 26 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.1-5
|
* Tue Mar 26 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.1-5
|
||||||
- pull up Simo's patch to mark the correct mechanism on imported GSSAPI
|
- pull up Simo's patch to mark the correct mechanism on imported GSSAPI
|
||||||
|
Loading…
Reference in New Issue
Block a user