On 04/12/2012 11:49 AM, Michael Weiser wrote:
> Hi Steve,
>
> On Thu, Apr 12, 2012 at 10:43:20AM -0400, Steve Dickson wrote:
>
>>> How do I go about getting this committed?
>> My bad... I'm looking into this now....
>
> Thanks for getting back to me.
>
>>>> I just noticed that while the code bits are optional based on
>>>> HAVE_SET_ALLOWABLE_ENCTYPES, the man page part isn't. I've got no idea,
>>>> how to go about that.
>> I'm think we should remove all those defines and have the code enabled
>> by default. The main reason is defines like that just clutter up the
>> code, plus there would be a needed for another configuration flag
>> which I think is a bit over kill...
>
> Here it is. The whole HAVE_SET_ALLOWABLE_ENCTYPES logic is still in place
> but my code now ignores it. So with a GSSAPI implementation that doesn't
> support it, the -l switch will be accepted by gssd but silently do
> nothing.
Well after further review.... it appears remove moving those defines would
have a negative impact on backwards compatibility with older Kerberos
libraries.
So what I'm thinking of doing is error out if an admin tries to use the
-l flag with incompatible Kerberos libraries. I also made a note in
the man page. So how about something like this:
Author: Michael Weiser <weiser@xxxxxxxxxxxxxxxxxxxx>
Date: Thu Apr 12 11:50:03 2012 -0400
Add -l option to gssd to force legacy behaviour
Implement a new option -l to force gssd to ignore its kernel's crypto
capabilities and use just the Single DES legacy encryption types to be
compatible with old servers. This is only relevant if those servers have
strong keys in their keytab.
Signed-off-by: Steve Dickson <steved@xxxxxxxxxx>
diff --git a/utils/gssd/gssd.c b/utils/gssd/gssd.c
index d53795e..7825255 100644
--- a/utils/gssd/gssd.c
+++ b/utils/gssd/gssd.c
@@ -85,7 +85,7 @@ sig_hup(int signal)
static void
usage(char *progname)
{
- fprintf(stderr, "usage: %s [-f] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm]\n",
+ fprintf(stderr, "usage: %s [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm]\n",
progname);
exit(1);
}
@@ -102,7 +102,7 @@ main(int argc, char *argv[])
char *progname;
memset(ccachesearch, 0, sizeof(ccachesearch));
- while ((opt = getopt(argc, argv, "fvrmnMp:k:d:t:R:")) != -1) {
+ while ((opt = getopt(argc, argv, "fvrlmnMp:k:d:t:R")) != -1) {
switch (opt) {
case 'f':
fg = 1;
@@ -143,6 +143,13 @@ main(int argc, char *argv[])
case 'R':
preferred_realm = strdup(optarg);
break;
+ case 'l':
+#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+ limit_to_legacy_enctypes = 1;
+#else
+ errx(1, "Setting encryption type not support by Kerberos libraries.");
+#endif
+ break;
default:
usage(argv[0]);
break;
diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man
index 073379d..d8138fa 100644
--- a/utils/gssd/gssd.man
+++ b/utils/gssd/gssd.man
@@ -6,7 +6,7 @@
.SH NAME
rpc.gssd \- rpcsec_gss daemon
.SH SYNOPSIS
-.B "rpc.gssd [-f] [-n] [-k keytab] [-p pipefsdir] [-v] [-r] [-d ccachedir]"
+.B "rpc.gssd [-f] [-n] [-k keytab] [-l] [-p pipefsdir] [-v] [-r] [-d ccachedir]"
.SH DESCRIPTION
The rpcsec_gss protocol gives a means of using the gss-api generic security
api to provide security for protocols using rpc (in particular, nfs). Before
@@ -70,6 +70,30 @@ for "machine credentials" is now:
If this search order does not use the correct key then provide a
keytab file that contains only correct keys.
.TP
+.B -l
+Tells
+.B rpc.gssd
+to limit session keys to Single DES even if the kernel supports stronger
+encryption types. Service ticket encryption is still governed by what
+the KDC believes the target server supports. This way the client can
+access a server that has strong keys in its keytab for ticket decryption
+but whose kernel only supports Single DES.
+.IP
+The alternative is to put only Single DES keys in the server's keytab
+and limit encryption types for its principal to Single DES on the KDC
+which will cause service tickets for this server to be encrypted using
+only Single DES and (as a side-effect) contain only Single DES session
+keys.
+.IP
+This legacy behaviour is only required for older servers
+(pre nfs-utils-1.2.4). If the server has a recent kernel, Kerberos
+implementation and nfs-utils it will work just fine with stronger
+encryption.
+.IP
+.B Note:
+This option is only available with Kerberos libraries that
+support setable encryption types.
+.TP
.B -p path
Tells
.B rpc.gssd
diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 4b13fa1..887d118 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -129,6 +129,10 @@
/* Global list of principals/cache file names for machine credentials */
struct gssd_k5_kt_princ *gssd_k5_kt_princ_list = NULL;
+#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+int limit_to_legacy_enctypes = 0;
+#endif
+
/*==========================*/
/*=== Internal routines ===*/
/*==========================*/
@@ -1342,7 +1346,7 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec)
* If we failed for any reason to produce global
* list of supported enctypes, use local default here.
*/
- if (krb5_enctypes == NULL)
+ if (krb5_enctypes == NULL || limit_to_legacy_enctypes)
maj_stat = gss_set_allowable_enctypes(&min_stat, credh,
&krb5oid, num_enctypes, enctypes);
else
diff --git a/utils/gssd/krb5_util.h b/utils/gssd/krb5_util.h
index b42b91e..cd6e107 100644
--- a/utils/gssd/krb5_util.h
+++ b/utils/gssd/krb5_util.h
@@ -36,6 +36,7 @@ char *gssd_k5_err_msg(krb5_context context, krb5_error_code code);
void gssd_k5_get_default_realm(char **def_realm);
#ifdef HAVE_SET_ALLOWABLE_ENCTYPES
+extern int limit_to_legacy_enctypes;
int limit_krb5_enctypes(struct rpc_gss_sec *sec);
#endif
If this seems reasonable, would you mind giving it a test run to
ensure I have not broken anything? tia..
steved.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
