Commit 683ac665 authored by Trond Myklebust's avatar Trond Myklebust

gss_krb5: Add upcall info indicating supported kerberos enctypes

The text based upcall now indicates which Kerberos encryption types are
supported by the kernel rpcsecgss code.  This is used by gssd to
determine which encryption types it should attempt to negotiate
when creating a context with a server.

The server principal's database and keytab encryption types are
what limits what it should negotiate.  Therefore, its keytab
should be created with only the enctypes listed by this file.

Currently we support des-cbc-crc, des-cbc-md4 and des-cbc-md5
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent 47d84807
...@@ -80,6 +80,8 @@ struct gss_api_mech { ...@@ -80,6 +80,8 @@ struct gss_api_mech {
/* pseudoflavors supported by this mechanism: */ /* pseudoflavors supported by this mechanism: */
int gm_pf_num; int gm_pf_num;
struct pf_desc * gm_pfs; struct pf_desc * gm_pfs;
/* Should the following be a callback operation instead? */
const char *gm_upcall_enctypes;
}; };
/* and must provide the following operations: */ /* and must provide the following operations: */
......
...@@ -377,11 +377,12 @@ static void gss_encode_v0_msg(struct gss_upcall_msg *gss_msg) ...@@ -377,11 +377,12 @@ static void gss_encode_v0_msg(struct gss_upcall_msg *gss_msg)
static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg, static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
struct rpc_clnt *clnt, int machine_cred) struct rpc_clnt *clnt, int machine_cred)
{ {
struct gss_api_mech *mech = gss_msg->auth->mech;
char *p = gss_msg->databuf; char *p = gss_msg->databuf;
int len = 0; int len = 0;
gss_msg->msg.len = sprintf(gss_msg->databuf, "mech=%s uid=%d ", gss_msg->msg.len = sprintf(gss_msg->databuf, "mech=%s uid=%d ",
gss_msg->auth->mech->gm_name, mech->gm_name,
gss_msg->uid); gss_msg->uid);
p += gss_msg->msg.len; p += gss_msg->msg.len;
if (clnt->cl_principal) { if (clnt->cl_principal) {
...@@ -398,6 +399,11 @@ static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg, ...@@ -398,6 +399,11 @@ static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
p += len; p += len;
gss_msg->msg.len += len; gss_msg->msg.len += len;
} }
if (mech->gm_upcall_enctypes) {
len = sprintf(p, mech->gm_upcall_enctypes);
p += len;
gss_msg->msg.len += len;
}
len = sprintf(p, "\n"); len = sprintf(p, "\n");
gss_msg->msg.len += len; gss_msg->msg.len += len;
......
...@@ -552,6 +552,7 @@ static struct gss_api_mech gss_kerberos_mech = { ...@@ -552,6 +552,7 @@ static struct gss_api_mech gss_kerberos_mech = {
.gm_ops = &gss_kerberos_ops, .gm_ops = &gss_kerberos_ops,
.gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs), .gm_pf_num = ARRAY_SIZE(gss_kerberos_pfs),
.gm_pfs = gss_kerberos_pfs, .gm_pfs = gss_kerberos_pfs,
.gm_upcall_enctypes = "enctypes=3,1,2 ",
}; };
static int __init init_kerberos_module(void) static int __init init_kerberos_module(void)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment