Date: Sat, 22 Dec 2012 19:10:32 -0500 (EST) From: Rick Macklem <rmacklem@uoguelph.ca> To: FreeBSD Filesystems <freebsd-fs@freebsd.org> Cc: admin@ist.tugraz.at Subject: NFS krb5 host based initiator credential patch Message-ID: <1071529580.1558626.1356221432033.JavaMail.root@erie.cs.uoguelph.ca>
next in thread | raw e-mail | index | archive | help
Hi, For a long time, I've had a patch that adds support for host based credentials in a keytab file to the kerberized NFS client. Unfortunately, it only worked if the kind of encryption used to create the keytab entry was explicitly set via a sysctl. Because of this dfr@ understandably didn't want it commited. Also, the patch had a bug which caused crashes when the initial use of the credential failed for any reason. I now finally have a patch that doesn't require explicit setting of the encryption type to make it work. (It does essentially a "kinit -k" to acquire a TGT and put it in a credential cache, which is then used by gss_init_sec_context().) I'd appreciate testing and review of this patch. It can be found at: http://people.freebsd.org/~rmacklem/rpcsec_gss-hostbased-initiator.patch this patch should apply to the files in -current. If the patch doesn't apply cleanly, you can find patched copies of the files here. (These should be buildable in any 9.0 or later system, I think?) http://people.freebsd.org/~rmacklem/rpcsec_gss-hostbased-initiator-patched-files The patch has worked ok for me for some testing, but I have only used a des-cbc-crc encrypted keytab entry. (I believe other encryption types should work, so long as they result in an 8 byte session key, but I haven't tested this and suggest testers start with des-cbc-crc.) rick ps: RPCSEC_GSS version 1 uses des-cbc encryption for krb5p, so stronger encryption for the keytab entry probably doesn't make any difference.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1071529580.1558626.1356221432033.JavaMail.root>