NFS krb5 host based initiator credential patch
Rick Macklem
rmacklem at uoguelph.ca
Sun Dec 23 00:10:39 UTC 2012
Hi,
For a long time, I've had a patch that adds support
for host based credentials in a keytab file to the
kerberized NFS client. Unfortunately, it only worked
if the kind of encryption used to create the keytab
entry was explicitly set via a sysctl. Because of this
dfr@ understandably didn't want it commited. Also, the
patch had a bug which caused crashes when the initial
use of the credential failed for any reason.
I now finally have a patch that doesn't require
explicit setting of the encryption type to make it work.
(It does essentially a "kinit -k" to acquire a TGT and
put it in a credential cache, which is then used by
gss_init_sec_context().)
I'd appreciate testing and review of this patch.
It can be found at:
http://people.freebsd.org/~rmacklem/rpcsec_gss-hostbased-initiator.patch
this patch should apply to the files in -current.
If the patch doesn't apply cleanly, you can find
patched copies of the files here. (These should be
buildable in any 9.0 or later system, I think?)
http://people.freebsd.org/~rmacklem/rpcsec_gss-hostbased-initiator-patched-files
The patch has worked ok for me for some testing, but
I have only used a des-cbc-crc encrypted keytab entry.
(I believe other encryption types should work, so long
as they result in an 8 byte session key, but I haven't
tested this and suggest testers start with des-cbc-crc.)
rick
ps: RPCSEC_GSS version 1 uses des-cbc encryption for krb5p,
so stronger encryption for the keytab entry probably
doesn't make any difference.
More information about the freebsd-fs
mailing list