From owner-svn-src-head@freebsd.org Fri Apr 10 23:10:29 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 219E427D88C; Fri, 10 Apr 2020 23:10:29 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48zYdd02gcz3HN0; Fri, 10 Apr 2020 23:10:29 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id F02646220; Fri, 10 Apr 2020 23:10:28 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 03ANAS9X054403; Fri, 10 Apr 2020 23:10:28 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 03ANAS3N054402; Fri, 10 Apr 2020 23:10:28 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <202004102310.03ANAS3N054402@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Fri, 10 Apr 2020 23:10:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r359787 - head/usr.sbin/gssd X-SVN-Group: head X-SVN-Commit-Author: jhb X-SVN-Commit-Paths: head/usr.sbin/gssd X-SVN-Commit-Revision: 359787 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Apr 2020 23:10:29 -0000 Author: jhb Date: Fri Apr 10 23:10:28 2020 New Revision: 359787 URL: https://svnweb.freebsd.org/changeset/base/359787 Log: Remove the -o option from gssd(8). This uses DES and the kernel no longer supports DES for in-kernel GSS. Reviewed by: kp Relnotes: yes Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D24345 Modified: head/usr.sbin/gssd/gssd.8 head/usr.sbin/gssd/gssd.c Modified: head/usr.sbin/gssd/gssd.8 ============================================================================== --- head/usr.sbin/gssd/gssd.8 Fri Apr 10 23:08:41 2020 (r359786) +++ head/usr.sbin/gssd/gssd.8 Fri Apr 10 23:10:28 2020 (r359787) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 7, 2013 +.Dd April 10 2020 .Dt GSSD 8 .Os .Sh NAME @@ -35,7 +35,6 @@ .Nm .Op Fl d .Op Fl h -.Op Fl o .Op Fl v .Op Fl s Ar dir-list .Op Fl c Ar file-substring @@ -61,10 +60,6 @@ gssname option for the .Xr mount_nfs 8 command. -.It Fl o -Force use of DES and the associated old style GSS-API initialization token. -This may be required to make kerberized NFS mounts work against some -non-FreeBSD NFS servers. .It Fl v Run in verbose mode. In this mode, Modified: head/usr.sbin/gssd/gssd.c ============================================================================== --- head/usr.sbin/gssd/gssd.c Fri Apr 10 23:08:41 2020 (r359786) +++ head/usr.sbin/gssd/gssd.c Fri Apr 10 23:10:28 2020 (r359787) @@ -77,7 +77,6 @@ int debug_level; static char ccfile_dirlist[PATH_MAX + 1], ccfile_substring[NAME_MAX + 1]; static char pref_realm[1024]; static int verbose; -static int use_old_des; static int hostbased_initiator_cred; #ifndef WITHOUT_KERBEROS /* 1.2.752.43.13.14 */ @@ -125,7 +124,7 @@ main(int argc, char **argv) pref_realm[0] = '\0'; debug = 0; verbose = 0; - while ((ch = getopt(argc, argv, "dhovs:c:r:")) != -1) { + while ((ch = getopt(argc, argv, "dhvs:c:r:")) != -1) { switch (ch) { case 'd': debug_level++; @@ -142,17 +141,6 @@ main(int argc, char **argv) " without MK_KERBEROS\n"); #endif break; - case 'o': -#ifndef WITHOUT_KERBEROS - /* - * Force use of DES and the old type of GSSAPI token. - */ - use_old_des = 1; -#else - errx(1, "This option not available when built" - " without MK_KERBEROS\n"); -#endif - break; case 'v': verbose = 1; break; @@ -483,44 +471,6 @@ gssd_init_sec_context_1_svc(init_sec_context_args *arg } gotcred = 0; -#ifndef WITHOUT_KERBEROS - if (use_old_des != 0) { - if (cred == GSS_C_NO_CREDENTIAL) { - /* Acquire a credential for the uid. */ - maj_stat = gssd_get_user_cred(&min_stat, argp->uid, - &cred); - if (maj_stat == GSS_S_COMPLETE) - gotcred = 1; - else - gssd_verbose_out("gssd_init_sec_context: " - "get user cred failed uid=%d major=0x%x " - "minor=%d\n", (int)argp->uid, - (unsigned int)maj_stat, (int)min_stat); - } - if (cred != GSS_C_NO_CREDENTIAL) { - key_enctype = ETYPE_DES_CBC_CRC; - enctype[0] = (key_enctype >> 24) & 0xff; - enctype[1] = (key_enctype >> 16) & 0xff; - enctype[2] = (key_enctype >> 8) & 0xff; - enctype[3] = key_enctype & 0xff; - principal_desc.length = sizeof(enctype); - principal_desc.value = enctype; - result->major_status = gss_set_cred_option( - &result->minor_status, &cred, - GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X, - &principal_desc); - gssd_verbose_out("gssd_init_sec_context: set allowable " - "enctype major=0x%x minor=%d\n", - (unsigned int)result->major_status, - (int)result->minor_status); - if (result->major_status != GSS_S_COMPLETE) { - if (gotcred != 0) - gss_release_cred(&min_stat, &cred); - return (TRUE); - } - } - } -#endif result->major_status = gss_init_sec_context(&result->minor_status, cred, &ctx, name, argp->mech_type, argp->req_flags, argp->time_req, argp->input_chan_bindings,