Attachment 764601 Details for Bug 671460 – Fix allowing a server to use any key for `cvs' service regardless of the host name

[patch] Fix allowing a server to use any key for `cvs' service regardless of the host name

cvs-1.11.23-Allow-CVS-server-to-use-any-Kerberos-key-with-cvs-se.patch (text/plain), 3.01 KB, created by Petr Pisar on 2013-06-24 13:13:13 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Petr Pisar

Created: 2013-06-24 13:13:13 UTC

Size: 3.01 KB

patch

obsolete

>From 8a186b2754997ed35f8a88d11457699517dd737c Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
>Date: Fri, 21 Jun 2013 13:01:55 +0200
>Subject: [PATCH] Allow CVS server to use any Kerberos key with cvs service
> name
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>This removes restriction for host to be equalled to local hostname.
>Previous pinning to hostname prevented from deploying multiple
>instances of a CVS server into a cluster where each node has different
>hostname.
>
><https://bugzilla.redhat.com/show_bug.cgi?id=671460>
><https://bugzilla.redhat.com/show_bug.cgi?id=722972>
>
>Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com>
>---
> doc/cvs.texinfo |  8 ++++----
> src/server.c    | 19 +++----------------
> 2 files changed, 7 insertions(+), 20 deletions(-)
>
>diff --git a/doc/cvs.texinfo b/doc/cvs.texinfo
>index ad3a414..3c7796a 100644
>--- a/doc/cvs.texinfo
>+++ b/doc/cvs.texinfo
>@@ -2771,10 +2771,10 @@ an empty @file{CVSROOT/passwd} password file, and set
> @code{SystemAuth=no} in the config file
> (@pxref{config}).
> 
>-The GSSAPI server uses a principal name of
>-cvs/@var{hostname}, where @var{hostname} is the
>-canonical name of the server host.  You will have to
>-set this up as required by your GSSAPI mechanism.
>+The GSSAPI server uses a principal name of cvs/@var{hostname}, where
>+@var{hostname} can be any name.  There is no restriction to canonical
>+hostname to allow DNS load-balanced clusters.  It assumes your GSSAPI
>+mechanism can select a key with a host name matching client's request.
> 
> To connect using GSSAPI, use the @samp{:gserver:} method.  For
> example,
>diff --git a/src/server.c b/src/server.c
>index 0505ab9..586b5da 100644
>--- a/src/server.c
>+++ b/src/server.c
>@@ -6168,9 +6168,7 @@ error 0 kerberos: can't get local name: %s\n", krb_get_err_text(status));
> static void
> gserver_authenticate_connection ()
> {
>-    char hostname[MAXHOSTNAMELEN];
>     char hbuf[1025];
>-    struct addrinfo hints, *res0;
>     gss_buffer_desc tok_in, tok_out;
>     char buf[1024];
>     char *credbuf;
>@@ -6181,23 +6179,12 @@ gserver_authenticate_connection ()
>     int nbytes;
>     gss_OID mechid;
> 
>-    gethostname (hostname, sizeof hostname);
>-    hostname[sizeof(hostname)-1] = '\0';
>-    memset (&hints, 0, sizeof(hints));
>-    hints.ai_family = af;
>-    hints.ai_socktype = SOCK_STREAM;
>-    hints.ai_flags = AI_CANONNAME;
>-    if (getaddrinfo (hostname, NULL, &hints, &res0))
>-	error (1, 0, "can't get canonical hostname");
>-
>-    sprintf (buf, "cvs@%s", res0->ai_canonname);
>-    freeaddrinfo (res0);
>-    tok_in.value = buf;
>-    tok_in.length = strlen (buf);
>+    tok_in.value = "cvs";
>+    tok_in.length = strlen (tok_in.value);
> 
>     if (gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE,
> 			 &server_name) != GSS_S_COMPLETE)
>-	error (1, 0, "could not import GSSAPI service name %s", buf);
>+	error (1, 0, "could not import GSSAPI service name %s", tok_in.value);
> 
>     /* Acquire the server credential to verify the client's
>        authentication.  */
>-- 
>1.8.1.4
>

Actions: View | Diff

Attachments on bug 671460: 514217 | 514218 | 763797 | 764601