"Derek R. Price" <[EMAIL PROTECTED]> writes:
> > Not at all. Before, you had to have a key for cvs@gethostname(), but
> > now any key stored in /etc/krb5.keytab can be used for
> > authentication. What worked before still works, and it is simpler for
> > people with multihomed servers and such.
>
> Might this be perceived as a loss of functionality to some people, or
> perhaps less secure?
I don't see how it could be seen as a loss of functionality. It might
however, for some people be seen as a change in functionality. I've
cooked up a new patch that should even make those picky people happy.
Instead of only accepting authentication for cvs@gethostname() which
was the old way it now accepts authentication for any cvs@*. This
should make things work for multi-homed servers and not change the
functionality in any perceived way. Any comments on this patch?
/assar
diff -ruw cvs-1.11.orig/src/server.c cvs-1.11/src/server.c
--- cvs-1.11.orig/src/server.c Fri Jul 28 22:18:40 2000
+++ cvs-1.11/src/server.c Sat Feb 24 02:56:22 2001
@@ -5835,10 +5835,6 @@
#ifdef HAVE_GSSAPI
-#ifndef MAXHOSTNAMELEN
-#define MAXHOSTNAMELEN (256)
-#endif
-
/* Authenticate a GSSAPI connection. This is called from
pserver_authenticate_connection, and it handles success and failure
the same way. */
@@ -5846,38 +5842,13 @@
static void
gserver_authenticate_connection ()
{
- char hostname[MAXHOSTNAMELEN];
- struct hostent *hp;
- gss_buffer_desc tok_in, tok_out;
+ gss_buffer_desc tok_in, tok_out, server_name_buf;
char buf[1024];
OM_uint32 stat_min, ret;
- gss_name_t server_name, client_name;
- gss_cred_id_t server_creds;
+ gss_name_t client_name, server_name;
int nbytes;
gss_OID mechid;
- gethostname (hostname, sizeof hostname);
- hp = gethostbyname (hostname);
- if (hp == NULL)
- error (1, 0, "can't get canonical hostname");
-
- sprintf (buf, "cvs@%s", hp->h_name);
- tok_in.value = buf;
- tok_in.length = strlen (buf);
-
- if (gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE,
- &server_name) != GSS_S_COMPLETE)
- error (1, 0, "could not import GSSAPI service name %s", buf);
-
- /* Acquire the server credential to verify the client's
- authentication. */
- if (gss_acquire_cred (&stat_min, server_name, 0, GSS_C_NULL_OID_SET,
- GSS_C_ACCEPT, &server_creds,
- NULL, NULL) != GSS_S_COMPLETE)
- error (1, 0, "could not acquire GSSAPI server credentials");
-
- gss_release_name (&stat_min, &server_name);
-
/* The client will send us a two byte length followed by that many
bytes. */
if (fread (buf, 1, 2, stdin) != 2)
@@ -5895,7 +5866,7 @@
if (gss_accept_sec_context (&stat_min,
&gcontext, /* context_handle */
- server_creds, /* verifier_cred_handle */
+ GSS_C_NO_CREDENTIAL, /* verifier_cred_handle */
&tok_in, /* input_token */
NULL, /* channel bindings */
&client_name, /* src_name */
@@ -5908,6 +5879,34 @@
{
error (1, 0, "could not verify credentials");
}
+
+ if (gss_inquire_context (&stat_min,
+ gcontext,
+ NULL,
+ &server_name,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL) != GSS_S_COMPLETE)
+ {
+ error (1, 0, "could not get server name");
+ }
+
+ if (gss_display_name (&stat_min, server_name, &server_name_buf, NULL)
+ != GSS_S_COMPLETE)
+ {
+ error (1, 0, "could not display server name");
+ }
+
+ if (server_name_buf.length < 4
+ || strncmp(server_name_buf.value, "cvs/", 4) != 0)
+ {
+ error (1, 0, "wrong server: (%.*s)",
+ server_name_buf.length, server_name_buf.value);
+ }
+
+ gss_release_buffer (&stat_min, &server_name_buf);
/* FIXME: Use Kerberos v5 specific code to authenticate to a user.
We could instead use an authentication to access mapping. */
Only in cvs-1.11/src: server.c~
