svn commit: r252674 - stable/9/usr.sbin/gssd

Thu Jul 4 01:15:44 UTC 2013

Author: rmacklem
Date: Thu Jul  4 01:15:44 2013
New Revision: 252674
URL: http://svnweb.freebsd.org/changeset/base/252674

Log:
  MFC: r252138
  Add a new "-o" option to the gssd which forces gss_init_sec_context()
  to use DES and the associated old style GSS initialization token.
  This appears to be required for some non-FreeBSD servers to
  get a kerberized NFS mount to work. Also, ignore some signals when daemonized,
  which might fix the gssd from "disappearing" without leaving a core dump.
  Given the tight timeframe for the FreeBSD9.2 release, I have
  committed this while waiting for code review. I will commit
  changes recommended by the review in a separate commit.

Modified:
  stable/9/usr.sbin/gssd/gssd.c
Directory Properties:
  stable/9/usr.sbin/gssd/   (props changed)

Modified: stable/9/usr.sbin/gssd/gssd.c
==============================================================================

--- stable/9/usr.sbin/gssd/gssd.c	Thu Jul  4 00:54:23 2013	(r252673)
+++ stable/9/usr.sbin/gssd/gssd.c	Thu Jul  4 01:15:44 2013	(r252674)
@@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$");
 #include <krb5.h>
 #endif
 #include <pwd.h>
+#include <signal.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -73,11 +74,26 @@ int debug_level;
 static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1];
 static char pref_realm[1024];
 static int verbose;
+static int use_old_des;
+#ifndef WITHOUT_KERBEROS
+/* 1.2.752.43.13.14 */
+static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
+{6, (void *) "\x2a\x85\x70\x2b\x0d\x0e"};
+static gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X =
+    &gss_krb5_set_allowable_enctypes_x_desc;
+static gss_OID_desc gss_krb5_mech_oid_x_desc =
+{9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
+static gss_OID GSS_KRB5_MECH_OID_X =
+    &gss_krb5_mech_oid_x_desc;
+#endif
 
 static void gssd_load_mech(void);
 static int find_ccache_file(const char *, uid_t, char *);
 static int is_a_valid_tgt_cache(const char *, uid_t, int *, time_t *);
 static void gssd_verbose_out(const char *, ...);
+#ifndef WITHOUT_KERBEROS
+static OM_uint32 gssd_get_user_cred(OM_uint32 *, uid_t, gss_cred_id_t *);
+#endif
 
 extern void gssd_1(struct svc_req *rqstp, SVCXPRT *transp);
 extern int gssd_syscall(char *path);
@@ -103,11 +119,22 @@ main(int argc, char **argv)
 	pref_realm[0] = '\0';
 	debug = 0;
 	verbose = 0;
-	while ((ch = getopt(argc, argv, "dvs:c:r:")) != -1) {
+	while ((ch = getopt(argc, argv, "dovs:c:r:")) != -1) {
 		switch (ch) {
 		case 'd':
 			debug_level++;
 			break;
+		case 'o':
+#ifndef WITHOUT_KERBEROS
+			/*
+			 * Force use of DES and the old type of GSSAPI token.
+			 */
+			use_old_des = 1;
+#else
+			errx(1, "This option not available when built"
+			    " without MK_KERBEROS\n");
+#endif
+			break;
 		case 'v':
 			verbose = 1;
 			break;
@@ -149,8 +176,12 @@ main(int argc, char **argv)
 
 	gssd_load_mech();
 
-	if (!debug_level)
+	if (!debug_level) {
 		daemon(0, 0);
+		signal(SIGINT, SIG_IGN);
+		signal(SIGQUIT, SIG_IGN);
+		signal(SIGHUP, SIG_IGN);
+	}
 
 	memset(&sun, 0, sizeof sun);
 	sun.sun_family = AF_LOCAL;
@@ -336,7 +367,14 @@ gssd_init_sec_context_1_svc(init_sec_con
 	gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
 	gss_name_t name = GSS_C_NO_NAME;
 	char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
-	int gotone;
+	int gotone, gotcred;
+	OM_uint32 min_stat;
+#ifndef WITHOUT_KERBEROS
+	gss_buffer_desc principal_desc;
+	char enctype[sizeof(uint32_t)];
+	int key_enctype;
+	OM_uint32 maj_stat;
+#endif
 
 	memset(result, 0, sizeof(*result));
 	if (ccfile_dirlist[0] != '\0' && argp->cred == 0) {
@@ -411,7 +449,46 @@ gssd_init_sec_context_1_svc(init_sec_con
 			return (TRUE);
 		}
 	}
+	gotcred = 0;
 
+#ifndef WITHOUT_KERBEROS
+	if (use_old_des != 0) {
+		if (cred == GSS_C_NO_CREDENTIAL) {
+			/* Acquire a credential for the uid. */
+			maj_stat = gssd_get_user_cred(&min_stat, argp->uid,
+			    &cred);
+			if (maj_stat == GSS_S_COMPLETE)
+				gotcred = 1;
+			else
+				gssd_verbose_out("gssd_init_sec_context: "
+				    "get user cred failed uid=%d major=0x%x "
+				    "minor=%d\n", (int)argp->uid,
+				    (unsigned int)maj_stat, (int)min_stat);
+		}
+		if (cred != GSS_C_NO_CREDENTIAL) {
+			key_enctype = ETYPE_DES_CBC_CRC;
+			enctype[0] = (key_enctype >> 24) & 0xff;
+			enctype[1] = (key_enctype >> 16) & 0xff;
+			enctype[2] = (key_enctype >> 8) & 0xff;
+			enctype[3] = key_enctype & 0xff;
+			principal_desc.length = sizeof(enctype);
+			principal_desc.value = enctype;
+			result->major_status = gss_set_cred_option(
+			    &result->minor_status, &cred,
+			    GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X,
+			    &principal_desc);
+			gssd_verbose_out("gssd_init_sec_context: set allowable "
+			    "enctype major=0x%x minor=%d\n",
+			    (unsigned int)result->major_status,
+			    (int)result->minor_status);
+			if (result->major_status != GSS_S_COMPLETE) {
+				if (gotcred != 0)
+					gss_release_cred(&min_stat, &cred);
+				return (TRUE);
+			}
+		}
+	}
+#endif
 	result->major_status = gss_init_sec_context(&result->minor_status,
 	    cred, &ctx, name, argp->mech_type,
 	    argp->req_flags, argp->time_req, argp->input_chan_bindings,
@@ -420,6 +497,8 @@ gssd_init_sec_context_1_svc(init_sec_con
 	gssd_verbose_out("gssd_init_sec_context: done major=0x%x minor=%d"
 	    " uid=%d\n", (unsigned int)result->major_status,
 	    (int)result->minor_status, (int)argp->uid);
+	if (gotcred != 0)
+		gss_release_cred(&min_stat, &cred);
 
 	if (result->major_status == GSS_S_COMPLETE
 	    || result->major_status == GSS_S_CONTINUE_NEEDED) {
@@ -687,6 +766,11 @@ gssd_acquire_cred_1_svc(acquire_cred_arg
 	gss_cred_id_t cred;
 	char ccname[PATH_MAX + 5 + 1], *cp, *cp2;
 	int gotone;
+#ifndef WITHOUT_KERBEROS
+	gss_buffer_desc namebuf;
+	uint32_t minstat;
+	krb5_error_code kret;
+#endif
 
 	memset(result, 0, sizeof(*result));
 	if (ccfile_dirlist[0] != '\0' && argp->desired_name == 0) {
@@ -1026,3 +1110,52 @@ is_a_valid_tgt_cache(const char *filepat
 #endif /* !WITHOUT_KERBEROS */
 }
 
+#ifndef WITHOUT_KERBEROS
+/*
+ * Acquire a gss credential for a uid.
+ */
+static OM_uint32
+gssd_get_user_cred(OM_uint32 *min_statp, uid_t uid, gss_cred_id_t *credp)
+{
+	gss_buffer_desc principal_desc;
+	gss_name_t name;
+	OM_uint32 maj_stat, min_stat;
+	gss_OID_set mechlist;
+	struct passwd *pw;
+
+	pw = getpwuid(uid);
+	if (pw == NULL) {
+		*min_statp = 0;
+		return (GSS_S_FAILURE);
+	}
+
+	/*
+	 * The mechanism must be set to KerberosV for acquisition
+	 * of credentials to work reliably.
+	 */
+	maj_stat = gss_create_empty_oid_set(min_statp, &mechlist);
+	if (maj_stat != GSS_S_COMPLETE)
+		return (maj_stat);
+	maj_stat = gss_add_oid_set_member(min_statp, GSS_KRB5_MECH_OID_X,
+	    &mechlist);
+	if (maj_stat != GSS_S_COMPLETE) {
+		gss_release_oid_set(&min_stat, &mechlist);
+		return (maj_stat);
+	}
+
+	principal_desc.value = (void *)pw->pw_name;
+	principal_desc.length = strlen(pw->pw_name);
+	maj_stat = gss_import_name(min_statp, &principal_desc,
+	    GSS_C_NT_USER_NAME, &name);
+	if (maj_stat != GSS_S_COMPLETE) {
+		gss_release_oid_set(&min_stat, &mechlist);
+		return (maj_stat);
+	}
+	/* Acquire the credentials. */
+	maj_stat = gss_acquire_cred(min_statp, name, 0, mechlist,
+	    GSS_C_INITIATE, credp, NULL, NULL);
+	gss_release_name(&min_stat, &name);
+	gss_release_oid_set(&min_stat, &mechlist);
+	return (maj_stat);
+}
+#endif /* !WITHOUT_KERBEROS */
