[Midnightbsd-cvs] src [10745] trunk/usr.sbin/gssd/gssd.c: sync with freebsd
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sat Jun 9 18:12:26 EDT 2018
Revision: 10745
http://svnweb.midnightbsd.org/src/?rev=10745
Author: laffer1
Date: 2018-06-09 18:12:25 -0400 (Sat, 09 Jun 2018)
Log Message:
-----------
sync with freebsd
Modified Paths:
--------------
trunk/usr.sbin/gssd/Makefile
trunk/usr.sbin/gssd/gssd.8
trunk/usr.sbin/gssd/gssd.c
Property Changed:
----------------
trunk/usr.sbin/gssd/gssd.8
Modified: trunk/usr.sbin/gssd/Makefile
===================================================================
--- trunk/usr.sbin/gssd/Makefile 2018-06-09 22:12:07 UTC (rev 10744)
+++ trunk/usr.sbin/gssd/Makefile 2018-06-09 22:12:25 UTC (rev 10745)
@@ -1,4 +1,5 @@
# $MidnightBSD$
+# $FreeBSD: stable/10/usr.sbin/gssd/Makefile 245014 2013-01-03 22:24:39Z rmacklem $
.include <bsd.own.mk>
Modified: trunk/usr.sbin/gssd/gssd.8
===================================================================
--- trunk/usr.sbin/gssd/gssd.8 2018-06-09 22:12:07 UTC (rev 10744)
+++ trunk/usr.sbin/gssd/gssd.8 2018-06-09 22:12:25 UTC (rev 10745)
@@ -1,3 +1,4 @@
+.\" $MidnightBSD$
.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/
.\" Authors: Doug Rabson <dfr at rabson.org>
.\" Developed with Red Inc: Alfred Perlstein <alfred at FreeBSD.org>
@@ -23,9 +24,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $MidnightBSD$
+.\" $FreeBSD: stable/10/usr.sbin/gssd/gssd.8 253020 2013-07-08 01:47:50Z rmacklem $
.\"
-.Dd December 30, 2012
+.Dd July 7, 2013
.Dt GSSD 8
.Os
.Sh NAME
@@ -34,6 +35,9 @@
.Sh SYNOPSIS
.Nm
.Op Fl d
+.Op Fl h
+.Op Fl o
+.Op Fl v
.Op Fl s Ar dir-list
.Op Fl c Ar file-substring
.Op Fl r Ar preferred-realm
@@ -43,12 +47,35 @@
program provides support for the kernel GSS-API implementation.
.Pp
The options are as follows:
-.Bl -tag
+.Bl -tag -width indent
.It Fl d
Run in debug mode.
In this mode,
.Nm
will not fork when it starts.
+.It Fl h
+Enable support for host-based initiator credentials.
+This permits a kerberized NFS mount to use a service principal in
+the default Kerberos 5 keytab file for access.
+Such access is enabled via the
+gssname
+option for the
+.Xr mount_nfs 8
+command.
+.It Fl o
+Force use of DES and the associated old style GSS-API initialization token.
+This may be required to make kerberized NFS mounts work against some
+non-FreeBSD NFS servers.
+.It Fl v
+Run in verbose mode.
+In this mode,
+.Nm
+will log activity messages to syslog using LOG_INFO | LOG_DAEMON or to
+stderr, if the
+.Fl d
+option has also been specified.
+The minor status is logged as a decimal number, since it is actually a
+Kerberos return status, which is signed.
.It Fl s Ar dir-list
Look for an appropriate credential cache file in this list of directories.
The list should be full pathnames from root, separated by ':' characters.
@@ -79,7 +106,9 @@
.Sh EXIT STATUS
.Ex -std
.Sh SEE ALSO
-.Xr gssapi 3
+.Xr gssapi 3 ,
+.Xr mount_nfs 8 ,
+.Xr syslog 3
.Sh HISTORY
The
.Nm
Property changes on: trunk/usr.sbin/gssd/gssd.8
___________________________________________________________________
Added: svn:keywords
## -0,0 +1 ##
+MidnightBSD=%H
\ No newline at end of property
Modified: trunk/usr.sbin/gssd/gssd.c
===================================================================
--- trunk/usr.sbin/gssd/gssd.c 2018-06-09 22:12:07 UTC (rev 10744)
+++ trunk/usr.sbin/gssd/gssd.c 2018-06-09 22:12:25 UTC (rev 10745)
@@ -1,3 +1,4 @@
+/* $MidnightBSD$ */
/*-
* Copyright (c) 2008 Isilon Inc http://www.isilon.com/
* Authors: Doug Rabson <dfr at rabson.org>
@@ -26,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__MBSDID("$MidnightBSD$");
+__FBSDID("$FreeBSD: stable/10/usr.sbin/gssd/gssd.c 293446 2016-01-08 23:58:32Z jpaetzel $");
#include <sys/param.h>
#include <sys/stat.h>
@@ -42,6 +43,8 @@
#include <krb5.h>
#endif
#include <pwd.h>
+#include <signal.h>
+#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -58,6 +61,7 @@
#ifndef _PATH_GSSDSOCK
#define _PATH_GSSDSOCK "/var/run/gssd.sock"
#endif
+#define GSSD_CREDENTIAL_CACHE_FILE "/tmp/krb5cc_gssd"
struct gss_resource {
LIST_ENTRY(gss_resource) gr_link;
@@ -71,10 +75,30 @@
int debug_level;
static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1];
static char pref_realm[1024];
+static int verbose;
+static int use_old_des;
+static int hostbased_initiator_cred;
+#ifndef WITHOUT_KERBEROS
+/* 1.2.752.43.13.14 */
+static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
+{6, (void *) "\x2a\x85\x70\x2b\x0d\x0e"};
+static gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X =
+ &gss_krb5_set_allowable_enctypes_x_desc;
+static gss_OID_desc gss_krb5_mech_oid_x_desc =
+{9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
+static gss_OID GSS_KRB5_MECH_OID_X =
+ &gss_krb5_mech_oid_x_desc;
+#endif
static void gssd_load_mech(void);
static int find_ccache_file(const char *, uid_t, char *);
static int is_a_valid_tgt_cache(const char *, uid_t, int *, time_t *);
+static void gssd_verbose_out(const char *, ...);
+#ifndef WITHOUT_KERBEROS
+static krb5_error_code gssd_get_cc_from_keytab(const char *);
+static OM_uint32 gssd_get_user_cred(OM_uint32 *, uid_t, gss_cred_id_t *);
+#endif
+void gssd_terminate(int);
extern void gssd_1(struct svc_req *rqstp, SVCXPRT *transp);
extern int gssd_syscall(char *path);
@@ -99,11 +123,38 @@
ccfile_dirlist[0] = '\0';
pref_realm[0] = '\0';
debug = 0;
- while ((ch = getopt(argc, argv, "ds:c:r:")) != -1) {
+ verbose = 0;
+ while ((ch = getopt(argc, argv, "dhovs:c:r:")) != -1) {
switch (ch) {
case 'd':
debug_level++;
break;
+ case 'h':
+#ifndef WITHOUT_KERBEROS
+ /*
+ * Enable use of a host based initiator credential
+ * in the default keytab file.
+ */
+ hostbased_initiator_cred = 1;
+#else
+ errx(1, "This option not available when built"
+ " without MK_KERBEROS\n");
+#endif
+ break;
+ case 'o':
+#ifndef WITHOUT_KERBEROS
+ /*
+ * Force use of DES and the old type of GSSAPI token.
+ */
+ use_old_des = 1;
+#else
+ errx(1, "This option not available when built"
+ " without MK_KERBEROS\n");
+#endif
+ break;
+ case 'v':
+ verbose = 1;
+ break;
case 's':
#ifndef WITHOUT_KERBEROS
/*
@@ -142,8 +193,13 @@
gssd_load_mech();
- if (!debug_level)
+ if (!debug_level) {
daemon(0, 0);
+ signal(SIGINT, SIG_IGN);
+ signal(SIGQUIT, SIG_IGN);
+ signal(SIGHUP, SIG_IGN);
+ }
+ signal(SIGTERM, gssd_terminate);
memset(&sun, 0, sizeof sun);
sun.sun_family = AF_LOCAL;
@@ -198,6 +254,7 @@
gssd_syscall(_PATH_GSSDSOCK);
svc_run();
+ gssd_syscall("");
return (0);
}
@@ -299,10 +356,26 @@
}
}
+static void
+gssd_verbose_out(const char *fmt, ...)
+{
+ va_list ap;
+
+ if (verbose != 0) {
+ va_start(ap, fmt);
+ if (debug_level == 0)
+ vsyslog(LOG_INFO | LOG_DAEMON, fmt, ap);
+ else
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+ }
+}
+
bool_t
gssd_null_1_svc(void *argp, void *result, struct svc_req *rqstp)
{
+ gssd_verbose_out("gssd_null: done\n");
return (TRUE);
}
@@ -313,11 +386,28 @@
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
gss_name_t name = GSS_C_NO_NAME;
char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
- int gotone;
+ int gotone, gotcred;
+ OM_uint32 min_stat;
+#ifndef WITHOUT_KERBEROS
+ gss_buffer_desc principal_desc;
+ char enctype[sizeof(uint32_t)];
+ int key_enctype;
+ OM_uint32 maj_stat;
+#endif
memset(result, 0, sizeof(*result));
- if (ccfile_dirlist[0] != '\0' && argp->cred == 0) {
+ if (hostbased_initiator_cred != 0 && argp->cred != 0 &&
+ argp->uid == 0) {
/*
+ * These credentials are for a host based initiator name
+ * in a keytab file, which should now have credentials
+ * in /tmp/krb5cc_gssd, because gss_acquire_cred() did
+ * the equivalent of "kinit -k".
+ */
+ snprintf(ccname, sizeof(ccname), "FILE:%s",
+ GSSD_CREDENTIAL_CACHE_FILE);
+ } else if (ccfile_dirlist[0] != '\0' && argp->cred == 0) {
+ /*
* For the "-s" case and no credentials provided as an
* argument, search the directory list for an appropriate
* credential cache file. If the search fails, return failure.
@@ -337,6 +427,9 @@
} while (cp != NULL && *cp != '\0');
if (gotone == 0) {
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
+ gssd_verbose_out("gssd_init_sec_context: -s no"
+ " credential cache file found for uid=%d\n",
+ (int)argp->uid);
return (TRUE);
}
} else {
@@ -362,6 +455,8 @@
cred = gssd_find_resource(argp->cred);
if (!cred) {
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
+ gssd_verbose_out("gssd_init_sec_context: cred"
+ " resource not found\n");
return (TRUE);
}
}
@@ -369,6 +464,8 @@
ctx = gssd_find_resource(argp->ctx);
if (!ctx) {
result->major_status = GSS_S_CONTEXT_EXPIRED;
+ gssd_verbose_out("gssd_init_sec_context: context"
+ " resource not found\n");
return (TRUE);
}
}
@@ -376,15 +473,61 @@
name = gssd_find_resource(argp->name);
if (!name) {
result->major_status = GSS_S_BAD_NAME;
+ gssd_verbose_out("gssd_init_sec_context: name"
+ " resource not found\n");
return (TRUE);
}
}
+ gotcred = 0;
+#ifndef WITHOUT_KERBEROS
+ if (use_old_des != 0) {
+ if (cred == GSS_C_NO_CREDENTIAL) {
+ /* Acquire a credential for the uid. */
+ maj_stat = gssd_get_user_cred(&min_stat, argp->uid,
+ &cred);
+ if (maj_stat == GSS_S_COMPLETE)
+ gotcred = 1;
+ else
+ gssd_verbose_out("gssd_init_sec_context: "
+ "get user cred failed uid=%d major=0x%x "
+ "minor=%d\n", (int)argp->uid,
+ (unsigned int)maj_stat, (int)min_stat);
+ }
+ if (cred != GSS_C_NO_CREDENTIAL) {
+ key_enctype = ETYPE_DES_CBC_CRC;
+ enctype[0] = (key_enctype >> 24) & 0xff;
+ enctype[1] = (key_enctype >> 16) & 0xff;
+ enctype[2] = (key_enctype >> 8) & 0xff;
+ enctype[3] = key_enctype & 0xff;
+ principal_desc.length = sizeof(enctype);
+ principal_desc.value = enctype;
+ result->major_status = gss_set_cred_option(
+ &result->minor_status, &cred,
+ GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X,
+ &principal_desc);
+ gssd_verbose_out("gssd_init_sec_context: set allowable "
+ "enctype major=0x%x minor=%d\n",
+ (unsigned int)result->major_status,
+ (int)result->minor_status);
+ if (result->major_status != GSS_S_COMPLETE) {
+ if (gotcred != 0)
+ gss_release_cred(&min_stat, &cred);
+ return (TRUE);
+ }
+ }
+ }
+#endif
result->major_status = gss_init_sec_context(&result->minor_status,
cred, &ctx, name, argp->mech_type,
argp->req_flags, argp->time_req, argp->input_chan_bindings,
&argp->input_token, &result->actual_mech_type,
&result->output_token, &result->ret_flags, &result->time_rec);
+ gssd_verbose_out("gssd_init_sec_context: done major=0x%x minor=%d"
+ " uid=%d\n", (unsigned int)result->major_status,
+ (int)result->minor_status, (int)argp->uid);
+ if (gotcred != 0)
+ gss_release_cred(&min_stat, &cred);
if (result->major_status == GSS_S_COMPLETE
|| result->major_status == GSS_S_CONTINUE_NEEDED) {
@@ -410,6 +553,8 @@
ctx = gssd_find_resource(argp->ctx);
if (!ctx) {
result->major_status = GSS_S_CONTEXT_EXPIRED;
+ gssd_verbose_out("gssd_accept_sec_context: ctx"
+ " resource not found\n");
return (TRUE);
}
}
@@ -417,6 +562,8 @@
cred = gssd_find_resource(argp->cred);
if (!cred) {
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
+ gssd_verbose_out("gssd_accept_sec_context: cred"
+ " resource not found\n");
return (TRUE);
}
}
@@ -427,6 +574,8 @@
&src_name, &result->mech_type, &result->output_token,
&result->ret_flags, &result->time_rec,
&delegated_cred_handle);
+ gssd_verbose_out("gssd_accept_sec_context: done major=0x%x minor=%d\n",
+ (unsigned int)result->major_status, (int)result->minor_status);
if (result->major_status == GSS_S_COMPLETE
|| result->major_status == GSS_S_CONTINUE_NEEDED) {
@@ -455,6 +604,8 @@
result->major_status = GSS_S_COMPLETE;
result->minor_status = 0;
}
+ gssd_verbose_out("gssd_delete_sec_context: done major=0x%x minor=%d\n",
+ (unsigned int)result->major_status, (int)result->minor_status);
return (TRUE);
}
@@ -476,6 +627,8 @@
result->interprocess_token.length = 0;
result->interprocess_token.value = NULL;
}
+ gssd_verbose_out("gssd_export_sec_context: done major=0x%x minor=%d\n",
+ (unsigned int)result->major_status, (int)result->minor_status);
return (TRUE);
}
@@ -487,6 +640,8 @@
result->major_status = gss_import_name(&result->minor_status,
&argp->input_name_buffer, argp->input_name_type, &name);
+ gssd_verbose_out("gssd_import_name: done major=0x%x minor=%d\n",
+ (unsigned int)result->major_status, (int)result->minor_status);
if (result->major_status == GSS_S_COMPLETE)
result->output_name = gssd_make_resource(name);
@@ -510,6 +665,8 @@
result->major_status = gss_canonicalize_name(&result->minor_status,
name, argp->mech_type, &output_name);
+ gssd_verbose_out("gssd_canonicalize_name: done major=0x%x minor=%d\n",
+ (unsigned int)result->major_status, (int)result->minor_status);
if (result->major_status == GSS_S_COMPLETE)
result->output_name = gssd_make_resource(output_name);
@@ -527,11 +684,14 @@
memset(result, 0, sizeof(*result));
if (!name) {
result->major_status = GSS_S_BAD_NAME;
+ gssd_verbose_out("gssd_export_name: name resource not found\n");
return (TRUE);
}
result->major_status = gss_export_name(&result->minor_status,
name, &result->exported_name);
+ gssd_verbose_out("gssd_export_name: done major=0x%x minor=%d\n",
+ (unsigned int)result->major_status, (int)result->minor_status);
return (TRUE);
}
@@ -549,6 +709,8 @@
result->major_status = GSS_S_COMPLETE;
result->minor_status = 0;
}
+ gssd_verbose_out("gssd_release_name: done major=0x%x minor=%d\n",
+ (unsigned int)result->major_status, (int)result->minor_status);
return (TRUE);
}
@@ -590,8 +752,8 @@
buflen_hint = buflen;
}
if (pw) {
- int len = NGRPS;
- int groups[NGRPS];
+ int len = NGROUPS;
+ int groups[NGROUPS];
result->gid = pw->pw_gid;
getgrouplist(pw->pw_name, pw->pw_gid,
groups, &len);
@@ -600,17 +762,27 @@
mem_alloc(len * sizeof(int));
memcpy(result->gidlist.gidlist_val, groups,
len * sizeof(int));
+ gssd_verbose_out("gssd_pname_to_uid: mapped"
+ " to uid=%d, gid=%d\n", (int)result->uid,
+ (int)result->gid);
} else {
result->gid = 65534;
result->gidlist.gidlist_len = 0;
result->gidlist.gidlist_val = NULL;
+ gssd_verbose_out("gssd_pname_to_uid: mapped"
+ " to uid=%d, but no groups\n",
+ (int)result->uid);
}
if (bufp != NULL && buflen > sizeof(buf))
free(bufp);
- }
+ } else
+ gssd_verbose_out("gssd_pname_to_uid: failed major=0x%x"
+ " minor=%d\n", (unsigned int)result->major_status,
+ (int)result->minor_status);
} else {
result->major_status = GSS_S_BAD_NAME;
result->minor_status = 0;
+ gssd_verbose_out("gssd_pname_to_uid: no name\n");
}
return (TRUE);
@@ -623,8 +795,58 @@
gss_cred_id_t cred;
char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
int gotone;
+#ifndef WITHOUT_KERBEROS
+ gss_buffer_desc namebuf;
+ uint32_t minstat;
+ krb5_error_code kret;
+#endif
memset(result, 0, sizeof(*result));
+ if (argp->desired_name) {
+ desired_name = gssd_find_resource(argp->desired_name);
+ if (!desired_name) {
+ result->major_status = GSS_S_BAD_NAME;
+ gssd_verbose_out("gssd_acquire_cred: no desired name"
+ " found\n");
+ return (TRUE);
+ }
+ }
+
+#ifndef WITHOUT_KERBEROS
+ if (hostbased_initiator_cred != 0 && argp->desired_name != 0 &&
+ argp->uid == 0 && argp->cred_usage == GSS_C_INITIATE) {
+ /* This is a host based initiator name in the keytab file. */
+ snprintf(ccname, sizeof(ccname), "FILE:%s",
+ GSSD_CREDENTIAL_CACHE_FILE);
+ setenv("KRB5CCNAME", ccname, TRUE);
+ result->major_status = gss_display_name(&result->minor_status,
+ desired_name, &namebuf, NULL);
+ gssd_verbose_out("gssd_acquire_cred: desired name for host "
+ "based initiator cred major=0x%x minor=%d\n",
+ (unsigned int)result->major_status,
+ (int)result->minor_status);
+ if (result->major_status != GSS_S_COMPLETE)
+ return (TRUE);
+ if (namebuf.length > PATH_MAX + 5) {
+ result->minor_status = 0;
+ result->major_status = GSS_S_FAILURE;
+ return (TRUE);
+ }
+ memcpy(ccname, namebuf.value, namebuf.length);
+ ccname[namebuf.length] = '\0';
+ if ((cp = strchr(ccname, '@')) != NULL)
+ *cp = '/';
+ kret = gssd_get_cc_from_keytab(ccname);
+ gssd_verbose_out("gssd_acquire_cred: using keytab entry for "
+ "%s, kerberos ret=%d\n", ccname, (int)kret);
+ gss_release_buffer(&minstat, &namebuf);
+ if (kret != 0) {
+ result->minor_status = kret;
+ result->major_status = GSS_S_FAILURE;
+ return (TRUE);
+ }
+ } else
+#endif /* !WITHOUT_KERBEROS */
if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) {
/*
* For the "-s" case and no name provided as an
@@ -646,8 +868,11 @@
} while (cp != NULL && *cp != '\0');
if (gotone == 0) {
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
+ gssd_verbose_out("gssd_acquire_cred: no cred cache"
+ " file found\n");
return (TRUE);
}
+ setenv("KRB5CCNAME", ccname, TRUE);
} else {
/*
* If there wasn't a "-s" option or the name has
@@ -665,20 +890,14 @@
}
snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d",
(int) argp->uid);
+ setenv("KRB5CCNAME", ccname, TRUE);
}
- setenv("KRB5CCNAME", ccname, TRUE);
- if (argp->desired_name) {
- desired_name = gssd_find_resource(argp->desired_name);
- if (!desired_name) {
- result->major_status = GSS_S_BAD_NAME;
- return (TRUE);
- }
- }
-
result->major_status = gss_acquire_cred(&result->minor_status,
desired_name, argp->time_req, argp->desired_mechs,
argp->cred_usage, &cred, &result->actual_mechs, &result->time_rec);
+ gssd_verbose_out("gssd_acquire_cred: done major=0x%x minor=%d\n",
+ (unsigned int)result->major_status, (int)result->minor_status);
if (result->major_status == GSS_S_COMPLETE)
result->output_cred = gssd_make_resource(cred);
@@ -696,11 +915,14 @@
memset(result, 0, sizeof(*result));
if (!cred) {
result->major_status = GSS_S_CREDENTIALS_EXPIRED;
+ gssd_verbose_out("gssd_set_cred: no credentials\n");
return (TRUE);
}
result->major_status = gss_set_cred_option(&result->minor_status,
&cred, argp->option_name, &argp->option_value);
+ gssd_verbose_out("gssd_set_cred: done major=0x%x minor=%d\n",
+ (unsigned int)result->major_status, (int)result->minor_status);
return (TRUE);
}
@@ -718,6 +940,8 @@
result->major_status = GSS_S_COMPLETE;
result->minor_status = 0;
}
+ gssd_verbose_out("gssd_release_cred: done major=0x%x minor=%d\n",
+ (unsigned int)result->major_status, (int)result->minor_status);
return (TRUE);
}
@@ -730,6 +954,8 @@
result->major_status = gss_display_status(&result->minor_status,
argp->status_value, argp->status_type, argp->mech_type,
&result->message_context, &result->status_string);
+ gssd_verbose_out("gssd_display_status: done major=0x%x minor=%d\n",
+ (unsigned int)result->major_status, (int)result->minor_status);
return (TRUE);
}
@@ -803,6 +1029,8 @@
len = snprintf(namepath, sizeof(namepath), "%s/%s", dirpath,
dp->d_name);
if (len < sizeof(namepath) &&
+ (hostbased_initiator_cred == 0 || strcmp(namepath,
+ GSSD_CREDENTIAL_CACHE_FILE) != 0) &&
strstr(dp->d_name, ccfile_substring) != NULL &&
lstat(namepath, &sb) >= 0 &&
sb.st_uid == uid &&
@@ -949,3 +1177,116 @@
#endif /* !WITHOUT_KERBEROS */
}
+#ifndef WITHOUT_KERBEROS
+/*
+ * This function attempts to do essentially a "kinit -k" for the principal
+ * name provided as the argument, so that there will be a TGT in the
+ * credential cache.
+ */
+static krb5_error_code
+gssd_get_cc_from_keytab(const char *name)
+{
+ krb5_error_code ret, opt_ret, princ_ret, cc_ret, kt_ret, cred_ret;
+ krb5_context context;
+ krb5_principal principal;
+ krb5_keytab kt;
+ krb5_creds cred;
+ krb5_get_init_creds_opt *opt;
+ krb5_deltat start_time = 0;
+ krb5_ccache ccache;
+
+ ret = krb5_init_context(&context);
+ if (ret != 0)
+ return (ret);
+ opt_ret = cc_ret = kt_ret = cred_ret = 1; /* anything non-zero */
+ princ_ret = ret = krb5_parse_name(context, name, &principal);
+ if (ret == 0)
+ opt_ret = ret = krb5_get_init_creds_opt_alloc(context, &opt);
+ if (ret == 0)
+ cc_ret = ret = krb5_cc_default(context, &ccache);
+ if (ret == 0)
+ ret = krb5_cc_initialize(context, ccache, principal);
+ if (ret == 0) {
+ krb5_get_init_creds_opt_set_default_flags(context, "gssd",
+ krb5_principal_get_realm(context, principal), opt);
+ kt_ret = ret = krb5_kt_default(context, &kt);
+ }
+ if (ret == 0)
+ cred_ret = ret = krb5_get_init_creds_keytab(context, &cred,
+ principal, kt, start_time, NULL, opt);
+ if (ret == 0)
+ ret = krb5_cc_store_cred(context, ccache, &cred);
+ if (kt_ret == 0)
+ krb5_kt_close(context, kt);
+ if (cc_ret == 0)
+ krb5_cc_close(context, ccache);
+ if (opt_ret == 0)
+ krb5_get_init_creds_opt_free(context, opt);
+ if (princ_ret == 0)
+ krb5_free_principal(context, principal);
+ if (cred_ret == 0)
+ krb5_free_cred_contents(context, &cred);
+ krb5_free_context(context);
+ return (ret);
+}
+
+/*
+ * Acquire a gss credential for a uid.
+ */
+static OM_uint32
+gssd_get_user_cred(OM_uint32 *min_statp, uid_t uid, gss_cred_id_t *credp)
+{
+ gss_buffer_desc principal_desc;
+ gss_name_t name;
+ OM_uint32 maj_stat, min_stat;
+ gss_OID_set mechlist;
+ struct passwd *pw;
+
+ pw = getpwuid(uid);
+ if (pw == NULL) {
+ *min_statp = 0;
+ return (GSS_S_FAILURE);
+ }
+
+ /*
+ * The mechanism must be set to KerberosV for acquisition
+ * of credentials to work reliably.
+ */
+ maj_stat = gss_create_empty_oid_set(min_statp, &mechlist);
+ if (maj_stat != GSS_S_COMPLETE)
+ return (maj_stat);
+ maj_stat = gss_add_oid_set_member(min_statp, GSS_KRB5_MECH_OID_X,
+ &mechlist);
+ if (maj_stat != GSS_S_COMPLETE) {
+ gss_release_oid_set(&min_stat, &mechlist);
+ return (maj_stat);
+ }
+
+ principal_desc.value = (void *)pw->pw_name;
+ principal_desc.length = strlen(pw->pw_name);
+ maj_stat = gss_import_name(min_statp, &principal_desc,
+ GSS_C_NT_USER_NAME, &name);
+ if (maj_stat != GSS_S_COMPLETE) {
+ gss_release_oid_set(&min_stat, &mechlist);
+ return (maj_stat);
+ }
+ /* Acquire the credentials. */
+ maj_stat = gss_acquire_cred(min_statp, name, 0, mechlist,
+ GSS_C_INITIATE, credp, NULL, NULL);
+ gss_release_name(&min_stat, &name);
+ gss_release_oid_set(&min_stat, &mechlist);
+ return (maj_stat);
+}
+#endif /* !WITHOUT_KERBEROS */
+
+void gssd_terminate(int sig __unused)
+{
+
+#ifndef WITHOUT_KERBEROS
+ if (hostbased_initiator_cred != 0)
+ unlink(GSSD_CREDENTIAL_CACHE_FILE);
+#endif
+ gssd_syscall("");
+ exit(0);
+}
+
More information about the Midnightbsd-cvs
mailing list