gss_krb5: Add upcall info indicating supported kerberos enctypes
authorTrond Myklebust <Trond.Myklebust@netapp.com>
Thu, 8 Apr 2010 18:09:58 +0000 (14:09 -0400)
committerTrond Myklebust <Trond.Myklebust@netapp.com>
Fri, 14 May 2010 19:09:17 +0000 (15:09 -0400)
The text based upcall now indicates which Kerberos encryption types are
supported by the kernel rpcsecgss code.  This is used by gssd to
determine which encryption types it should attempt to negotiate
when creating a context with a server.

The server principal's database and keytab encryption types are
what limits what it should negotiate.  Therefore, its keytab
should be created with only the enctypes listed by this file.

Currently we support des-cbc-crc, des-cbc-md4 and des-cbc-md5

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
include/linux/sunrpc/gss_api.h
net/sunrpc/auth_gss/auth_gss.c
net/sunrpc/auth_gss/gss_krb5_mech.c

index 03f33330ece2d95cf6e49cee2ab69f1c21b05c30..b22d7f189ceb775d2a5e48b406576aa79381444c 100644 (file)
@@ -80,6 +80,8 @@ struct gss_api_mech {
        /* pseudoflavors supported by this mechanism: */
        int                     gm_pf_num;
        struct pf_desc *        gm_pfs;
+       /* Should the following be a callback operation instead? */
+       const char              *gm_upcall_enctypes;
 };
 
 /* and must provide the following operations: */
index d64a58b8ed33680ea34078051a9ccd44039562d3..6654c8534d323c5c0afd32e1103b119323c44a24 100644 (file)
@@ -377,11 +377,12 @@ static void gss_encode_v0_msg(struct gss_upcall_msg *gss_msg)
 static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
                                struct rpc_clnt *clnt, int machine_cred)
 {
+       struct gss_api_mech *mech = gss_msg->auth->mech;
        char *p = gss_msg->databuf;
        int len = 0;
 
        gss_msg->msg.len = sprintf(gss_msg->databuf, "mech=%s uid=%d ",
-                                  gss_msg->auth->mech->gm_name,
+                                  mech->gm_name,
                                   gss_msg->uid);
        p += gss_msg->msg.len;
        if (clnt->cl_principal) {
@@ -398,6 +399,11 @@ static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
                p += len;
                gss_msg->msg.len += len;
        }
+       if (mech->gm_upcall_enctypes) {
+               len = sprintf(p, mech->gm_upcall_enctypes);
+               p += len;
+               gss_msg->msg.len += len;
+       }
        len = sprintf(p, "\n");
        gss_msg->msg.len += len;
 
index 8b612e733563e4744f61fa3981e216143d5468bb..03f1dcddbd29d352c3041fbbfd6e7f76e1fcb968 100644 (file)
@@ -552,6 +552,7 @@ static struct gss_api_mech gss_kerberos_mech = {
        .gm_ops         = &gss_kerberos_ops,
        .gm_pf_num      = ARRAY_SIZE(gss_kerberos_pfs),
        .gm_pfs         = gss_kerberos_pfs,
+       .gm_upcall_enctypes = "enctypes=3,1,2 ",
 };
 
 static int __init init_kerberos_module(void)