patch to gssapi server authentication to accept any server

Assar Westerlund Mon, 19 Feb 2001 12:08:58 -0800

Hi.

Enclosed is a patch to not require that gssapi credentials be for
cvs@gethostname().  This is a problem when for example using a
multi-homed server that doesn't have the same name on all interfaces,
or when using CNAMEs.  The patch is relative to 1.11 but should be
easily applicable to current.  Comments?

/assar

diff -ruw cvs-1.11.orig/src/server.c cvs-1.11/src/server.c
--- cvs-1.11.orig/src/server.c  Fri Jul 28 22:18:40 2000
+++ cvs-1.11/src/server.c       Tue Feb 13 01:48:03 2001
@@ -5835,10 +5835,6 @@
 
 #ifdef HAVE_GSSAPI
 
-#ifndef MAXHOSTNAMELEN
-#define MAXHOSTNAMELEN (256)
-#endif
-
 /* Authenticate a GSSAPI connection.  This is called from
    pserver_authenticate_connection, and it handles success and failure
    the same way.  */
@@ -5846,38 +5842,13 @@
 static void
 gserver_authenticate_connection ()
 {
-    char hostname[MAXHOSTNAMELEN];
-    struct hostent *hp;
     gss_buffer_desc tok_in, tok_out;
     char buf[1024];
     OM_uint32 stat_min, ret;
-    gss_name_t server_name, client_name;
-    gss_cred_id_t server_creds;
+    gss_name_t client_name;
     int nbytes;
     gss_OID mechid;
 
-    gethostname (hostname, sizeof hostname);
-    hp = gethostbyname (hostname);
-    if (hp == NULL)
-       error (1, 0, "can't get canonical hostname");
-
-    sprintf (buf, "cvs@%s", hp->h_name);
-    tok_in.value = buf;
-    tok_in.length = strlen (buf);
-
-    if (gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE,
-                        &server_name) != GSS_S_COMPLETE)
-       error (1, 0, "could not import GSSAPI service name %s", buf);
-
-    /* Acquire the server credential to verify the client's
-       authentication.  */
-    if (gss_acquire_cred (&stat_min, server_name, 0, GSS_C_NULL_OID_SET,
-                         GSS_C_ACCEPT, &server_creds,
-                         NULL, NULL) != GSS_S_COMPLETE)
-       error (1, 0, "could not acquire GSSAPI server credentials");
-
-    gss_release_name (&stat_min, &server_name);
-
     /* The client will send us a two byte length followed by that many
        bytes.  */
     if (fread (buf, 1, 2, stdin) != 2)
@@ -5895,7 +5866,7 @@
 
     if (gss_accept_sec_context (&stat_min,
                                 &gcontext,     /* context_handle */
-                                server_creds,  /* verifier_cred_handle */
+                                GSS_C_NO_CREDENTIAL, /* verifier_cred_handle */
                                 &tok_in,       /* input_token */
                                 NULL,          /* channel bindings */
                                 &client_name,  /* src_name */
Only in cvs-1.11/src: server.c~

patch to gssapi server authentication to accept any server

Reply via email to