Attachment 763797 Details for Bug 671460 – Fix allowing a server to use any key for `cvs' service regardless of the host name

[patch] Fix allowing a server to use any key for `cvs' service regardless of the host name

cvs-1.11.23-Allow-CVS-server-to-use-any-Kerberos-key-with-cvs-se.patch (text/plain), 2.91 KB, created by Petr Pisar on 2013-06-21 11:42:08 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Petr Pisar

Created: 2013-06-21 11:42:08 UTC

Size: 2.91 KB

patch

obsolete

>From 142c1abfab215f30bbea84c3eb182a1ad3c16af6 Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
>Date: Fri, 21 Jun 2013 13:01:55 +0200
>Subject: [PATCH] Allow CVS server to use any Kerberos key with cvs service
> name
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>This removes restriction for host to be equalled to local hostname.
>Previous pinning to hostname prevented from deploying multiple
>instaces of a CVS server into a cluster where each node has different
>hostname.
>
><https://bugzilla.redhat.com/show_bug.cgi?id=671460>
><https://bugzilla.redhat.com/show_bug.cgi?id=722972>
>
>Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com>
>---
> doc/cvs.texinfo |  7 ++++---
> src/server.c    | 19 +++----------------
> 2 files changed, 7 insertions(+), 19 deletions(-)
>
>diff --git a/doc/cvs.texinfo b/doc/cvs.texinfo
>index ad3a414..a2847eb 100644
>--- a/doc/cvs.texinfo
>+++ b/doc/cvs.texinfo
>@@ -2772,9 +2772,10 @@ an empty @file{CVSROOT/passwd} password file, and set
> (@pxref{config}).
> 
> The GSSAPI server uses a principal name of
>-cvs/@var{hostname}, where @var{hostname} is the
>-canonical name of the server host.  You will have to
>-set this up as required by your GSSAPI mechanism.
>+cvs/@var{hostname}, where @var{hostname} cab be any
>+name.  There is no restriction to cannonical hostname
>+to allow DNS-loadbalanced clusters.  It assumes your GSSAPI
>+mechanism will select a key matching client's request.
> 
> To connect using GSSAPI, use the @samp{:gserver:} method.  For
> example,
>diff --git a/src/server.c b/src/server.c
>index 0505ab9..586b5da 100644
>--- a/src/server.c
>+++ b/src/server.c
>@@ -6168,9 +6168,7 @@ error 0 kerberos: can't get local name: %s\n", krb_get_err_text(status));
> static void
> gserver_authenticate_connection ()
> {
>-    char hostname[MAXHOSTNAMELEN];
>     char hbuf[1025];
>-    struct addrinfo hints, *res0;
>     gss_buffer_desc tok_in, tok_out;
>     char buf[1024];
>     char *credbuf;
>@@ -6181,23 +6179,12 @@ gserver_authenticate_connection ()
>     int nbytes;
>     gss_OID mechid;
> 
>-    gethostname (hostname, sizeof hostname);
>-    hostname[sizeof(hostname)-1] = '\0';
>-    memset (&hints, 0, sizeof(hints));
>-    hints.ai_family = af;
>-    hints.ai_socktype = SOCK_STREAM;
>-    hints.ai_flags = AI_CANONNAME;
>-    if (getaddrinfo (hostname, NULL, &hints, &res0))
>-	error (1, 0, "can't get canonical hostname");
>-
>-    sprintf (buf, "cvs@%s", res0->ai_canonname);
>-    freeaddrinfo (res0);
>-    tok_in.value = buf;
>-    tok_in.length = strlen (buf);
>+    tok_in.value = "cvs";
>+    tok_in.length = strlen (tok_in.value);
> 
>     if (gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE,
> 			 &server_name) != GSS_S_COMPLETE)
>-	error (1, 0, "could not import GSSAPI service name %s", buf);
>+	error (1, 0, "could not import GSSAPI service name %s", tok_in.value);
> 
>     /* Acquire the server credential to verify the client's
>        authentication.  */
>-- 
>1.8.1.4
>

Actions: View | Diff

Attachments on bug 671460: 514217 | 514218 | 763797 | 764601