On Fri, 6 Jan 2012 11:21:44 -0600 Shirish Pargaonkar <shirishpargaonkar@xxxxxxxxx> wrote: > On Fri, Jan 6, 2012 at 7:11 AM, Jeff Layton <jlayton@xxxxxxxxxx> wrote: > > When the multiuser mount code was initially introduced for cifs, I > > limited it to sec=krb5 auth. When a new user walks into a mount, we have > > no way to prompt for a username and password from the kernel, so the > > only auth type we could support was krb5. > > > > This patchset extends the code to allow other auth types to use > > multiuser mounts. The idea here is for users to put their username and > > password for a particular server or domain into the keyring. The kernel > > Would users be able to put their username for a particular domain name > and server address as well as server name? > Was not clear from the description whether it was just the server address > or name as well! > You can add keys a particular host or NT domain name. If it's a host key, then the userspace tool will add a key for each address that it resolves for the hostname. For a domain key, it's treated as a string literal and the kernel will use the domain= mount option to construct the key description. > > can then look for that key and use those credentials to establish a > > session on the user's behalf. > > > > Because of the quirkiness of keyring permissions, this patchset adds a > > new key type that does not allow the keys to be read from userspace. > > That should prevent compromise of the credentials by someone walking up > > to the user's machine while she is away at lunch. > > > > The userspace tool to stash keys in the keyring is already in > > cifs-utils, but the current form will not work with this version of the > > kernel patchset. A patchset that updates the tool to be suitable for > > this purpose will follow. > > > > Jeff Layton (3): > > keys: add a "secret" key type > > cifs: sanitize username handling > > cifs: fetch credentials out of keyring for non-krb5 auth multiuser > > mounts > > > > fs/cifs/cifs_spnego.c | 10 ++- > > fs/cifs/cifsencrypt.c | 11 ++- > > fs/cifs/connect.c | 195 ++++++++++++++++++++++++++++++++++++++---- > > include/keys/user-type.h | 3 +- > > security/keys/internal.h | 1 + > > security/keys/key.c | 1 + > > security/keys/user_defined.c | 17 ++++ > > 7 files changed, 214 insertions(+), 24 deletions(-) > > > > -- > > 1.7.7.4 > > > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Jeff Layton <jlayton@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
