aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTrond Myklebust <Trond.Myklebust@netapp.com>2010-04-08 14:09:58 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2010-05-14 15:09:17 -0400
commit683ac6656cb05b6e83593770ffc049eee4a4d119 (patch)
tree531c849ad7b20ade79e69c8daa446d99722958ae
parent47d84807762966c3611c38adecec6ea703ddda7a (diff)
gss_krb5: Add upcall info indicating supported kerberos enctypes
The text based upcall now indicates which Kerberos encryption types are supported by the kernel rpcsecgss code. This is used by gssd to determine which encryption types it should attempt to negotiate when creating a context with a server. The server principal's database and keytab encryption types are what limits what it should negotiate. Therefore, its keytab should be created with only the enctypes listed by this file. Currently we support des-cbc-crc, des-cbc-md4 and des-cbc-md5 Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-rw-r--r--include/linux/sunrpc/gss_api.h2
-rw-r--r--net/sunrpc/auth_gss/auth_gss.c8
-rw-r--r--net/sunrpc/auth_gss/gss_krb5_mech.c1
3 files changed, 10 insertions, 1 deletions
diff --git a/include/linux/sunrpc/gss_api.h b/include/linux/sunrpc/gss_api.h
index 03f33330ece2..b22d7f189ceb 100644
--- a/include/linux/sunrpc/gss_api.h
+++ b/include/linux/sunrpc/gss_api.h
@@ -80,6 +80,8 @@ struct gss_api_mech {
80 /* pseudoflavors supported by this mechanism: */ 80 /* pseudoflavors supported by this mechanism: */
81 int gm_pf_num; 81 int gm_pf_num;
82 struct pf_desc * gm_pfs; 82 struct pf_desc * gm_pfs;
83 /* Should the following be a callback operation instead? */
84 const char *gm_upcall_enctypes;
83}; 85};
84 86
85/* and must provide the following operations: */ 87/* and must provide the following operations: */
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index d64a58b8ed33..6654c8534d32 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -377,11 +377,12 @@ static void gss_encode_v0_msg(struct gss_upcall_msg *gss_msg)
377static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg, 377static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
378 struct rpc_clnt *clnt, int machine_cred) 378 struct rpc_clnt *clnt, int machine_cred)
379{ 379{
380 struct gss_api_mech *mech = gss_msg->auth->mech;
380 char *p = gss_msg->databuf; 381 char *p = gss_msg->databuf;
381 int len = 0; 382 int len = 0;
382 383
383 gss_msg->msg.len = sprintf(gss_msg->databuf, "mech=%s uid=%d ", 384 gss_msg->msg.len = sprintf(gss_msg->databuf, "mech=%s uid=%d ",
384 gss_msg->auth->mech->gm_name, 385 mech->gm_name,
385 gss_msg->uid); 386 gss_msg->uid);
386 p += gss_msg->msg.len; 387 p += gss_msg->msg.len;
387 if (clnt->cl_principal) { 388 if (clnt->cl_principal) {
@@ -398,6 +399,11 @@ static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
398 p += len; 399 p += len;
399 gss_msg->msg.len += len; 400 gss_msg->msg.len += len;
400 } 401 }
402 if (mech->gm_upcall_enctypes) {
403 len = sprintf(p, mech->gm_upcall_enctypes);
404 p += len;
405 gss_msg->msg.len += len;
406 }
401 len = sprintf(p, "\n"); 407 len = sprintf(p, "\n");
402 gss_msg->msg.len += len; 408 gss_msg->msg.len += len;
403 409
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 8b612e733563..03f1dcddbd29 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -552,6 +552,7 @@ static struct gss_api_mech gss_kerberos_mech = {
552 .gm_ops = &gss_kerberos_ops, 552 .gm_ops = &gss_kerberos_ops,
553 .gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs), 553 .gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs),
554 .gm_pfs = gss_kerberos_pfs, 554 .gm_pfs = gss_kerberos_pfs,
555 .gm_upcall_enctypes = "enctypes=3,1,2 ",
555}; 556};
556 557
557static int __init init_kerberos_module(void) 558static int __init init_kerberos_module(void)