]> git.pld-linux.org Git - packages/util-linux.git/blame - util-linux-2.12-03-krb5.dif
- init var
[packages/util-linux.git] / util-linux-2.12-03-krb5.dif
CommitLineData
a5f7e223
AM
1
2Allow nfs versions 2 and 3 to mount with -osec=krb5.
3
4
5---
6
7 util-linux-2.12-bfields/mount/nfs.5 | 37 +++++++++-----
8 util-linux-2.12-bfields/mount/nfs_mount4.h | 18 ++++++-
9 util-linux-2.12-bfields/mount/nfsmount.c | 74 ++++++++++++++++++++++++++++-
10 3 files changed, 112 insertions(+), 17 deletions(-)
11
12diff -puN mount/nfs.5~krb5 mount/nfs.5
13--- util-linux-2.12/mount/nfs.5~krb5 2004-10-13 14:15:03.000000000 -0400
14+++ util-linux-2.12-bfields/mount/nfs.5 2004-10-13 14:15:03.000000000 -0400
15@@ -165,7 +165,7 @@ mount daemon program number.
16 Use an alternate RPC version number to contact the
17 mount daemon on the remote host. This option is useful
18 for hosts that can run multiple NFS servers.
19-The default value is version 1.
20+The default value depends on which kernel you are using.
21 .TP 1.5i
22 .I nfsprog=n
23 Use an alternate RPC program number to contact the
24@@ -178,7 +178,7 @@ NFS daemon program number.
25 Use an alternate RPC version number to contact the
26 NFS daemon on the remote host. This option is useful
27 for hosts that can run multiple NFS servers.
28-The default value is version 2.
29+The default value depends on which kernel you are using.
30 .TP 1.5i
31 .I nolock
32 Disable NFS locking. Do not start lockd.
33@@ -230,9 +230,25 @@ Suppress the retrieval of new attributes
34 .TP 1.5i
35 .I noac
36 Disable all forms of attribute caching entirely. This extracts a
37-server performance penalty but it allows two different NFS clients
38-to get reasonable good results when both clients are actively
39-writing to common filesystem on the server.
40+significant performance penalty but it allows two different NFS clients
41+to get reasonable results when both clients are actively
42+writing to a common export on the server.
43+.TP 1.5i
44+.I sec=mode
45+Set the security flavor for this mount to "mode".
46+The default setting is \f3sec=sys\f1, which uses local
47+unix uids and gids to authenticate NFS operations (AUTH_SYS).
48+Other currently supported settings are:
49+\f3sec=krb5\f1, which uses Kerberos V5 instead of local unix uids
50+and gids to authenticate users;
51+\f3sec=krb5i\f1, which uses Kerberos V5 for user authentication
52+and performs integrity checking of NFS operations using secure
53+checksums to prevent data tampering; and
54+\f3sec=krb5p\f1, which uses Kerberos V5 for user authentication
55+and integrity checking, and encrypts NFS traffic to prevent
56+traffic sniffing (this is the most secure setting).
57+Note that there is a performance penalty when using integrity
58+or privacy.
59 .TP 1.5i
60 .I tcp
61 Mount the NFS filesystem using the TCP protocol instead of the
62@@ -347,15 +363,8 @@ causes the client to use a specific call
63 communicating with an NFS version 4 server.
64 This option is currently ignored.
65 .TP 1.5i
66-.I sec=n
67-Specify an advanced security mechanism for this file system.
68-To use Kerberos 5 mutual authentication, specify
69-.IR krb5 .
70-Kerberos 5 integrity checking is specified with
71-.IR krb5i ,
72-and Kerberos 5 privacy is specified with
73-.IR krb5p .
74-Other security mechanisms may become available in the future.
75+.I sec=mode
76+Same as \f3sec=mode\f1 for the nfs filesystem type (see above).
77 .TP 1.5i
78 .I bg
79 If an NFS mount attempt times out, retry the mount
80diff -puN mount/nfs_mount4.h~krb5 mount/nfs_mount4.h
81--- util-linux-2.12/mount/nfs_mount4.h~krb5 2004-10-13 14:15:03.000000000 -0400
82+++ util-linux-2.12-bfields/mount/nfs_mount4.h 2004-10-13 14:16:45.000000000 -0400
83@@ -8,7 +8,7 @@
84 * so it is easiest to ignore the kernel altogether (at compile time).
85 */
86
87-#define NFS_MOUNT_VERSION 4
88+#define NFS_MOUNT_VERSION 5
89
90 struct nfs2_fh {
91 char data[32];
92@@ -36,6 +36,7 @@ struct nfs_mount_data {
93 int namlen; /* 2 */
94 unsigned int bsize; /* 3 */
95 struct nfs3_fh root; /* 4 */
96+ int pseudoflavor; /* 5 */
97 };
98
99 /* bits in the flags field */
100@@ -51,4 +52,19 @@ struct nfs_mount_data {
101 #define NFS_MOUNT_KERBEROS 0x0100 /* 3 */
102 #define NFS_MOUNT_NONLM 0x0200 /* 3 */
103 #define NFS_MOUNT_BROKEN_SUID 0x0400 /* 4 */
104+#define NFS_MOUNT_SECFLAVOUR 0x2000 /* 5 */
105+
106+/* security pseudoflavors */
107+
108+#ifndef AUTH_GSS_KRB5
109+#define AUTH_GSS_KRB5 390003
110+#define AUTH_GSS_KRB5I 390004
111+#define AUTH_GSS_KRB5P 390005
112+#define AUTH_GSS_LKEY 390006
113+#define AUTH_GSS_LKEYI 390007
114+#define AUTH_GSS_LKEYP 390008
115+#define AUTH_GSS_SPKM 390009
116+#define AUTH_GSS_SPKMI 390010
117+#define AUTH_GSS_SPKMP 390011
118+#endif
119
120diff -puN mount/nfsmount.c~krb5 mount/nfsmount.c
121--- util-linux-2.12/mount/nfsmount.c~krb5 2004-10-13 14:15:03.000000000 -0400
122+++ util-linux-2.12-bfields/mount/nfsmount.c 2004-10-13 14:16:46.000000000 -0400
123@@ -109,6 +109,8 @@ typedef struct {
124 static const struct timeval TIMEOUT = { 20, 0 };
125 static const struct timeval RETRY_TIMEOUT = { 3, 0 };
126
127+static int nfs_call_umount(clnt_addr_t *mnt_server, dirpath *argp);
128+
129 /* Define the order in which to probe for UDP/TCP services */
130 static const u_int *
131 proto_probelist(const int use_tcp)
132@@ -211,8 +213,10 @@ find_kernel_nfs_mount_version(void) {
133 mnt_version = 4; /* since 2.2.18pre9 */
134 else if (kernel_version < MAKE_VERSION(2,3,99))
135 mnt_version = 3;
136+ else if (kernel_version < MAKE_VERSION(2,6,0))
137+ mnt_version = 4;
138 else
139- mnt_version = 4; /* since 2.3.99pre4 */
140+ mnt_version = 5;
141 }
142 if (mnt_version > NFS_MOUNT_VERSION)
143 mnt_version = NFS_MOUNT_VERSION;
144@@ -596,6 +600,40 @@ parse_options(char *old_opts, struct nfs
145 #endif
146 } else if (!sloppy)
147 goto bad_parameter;
148+#if NFS_MOUNT_VERSION >= 5
149+ } else if (!strcmp(opt, "sec")) {
150+ char *secflavor = opteq+1;
151+ /* see RFC 2623 */
152+ if (nfs_mount_version < 5) {
153+ printf(_("Warning: ignoring sec=%s option\n"), secflavor);
154+ continue;
155+ } else if (!strcmp(secflavor, "sys"))
156+ data->pseudoflavor = AUTH_SYS;
157+ else if (!strcmp(secflavor, "krb5"))
158+ data->pseudoflavor = AUTH_GSS_KRB5;
159+ else if (!strcmp(secflavor, "krb5i"))
160+ data->pseudoflavor = AUTH_GSS_KRB5I;
161+ else if (!strcmp(secflavor, "krb5p"))
162+ data->pseudoflavor = AUTH_GSS_KRB5P;
163+ else if (!strcmp(secflavor, "lipkey"))
164+ data->pseudoflavor = AUTH_GSS_LKEY;
165+ else if (!strcmp(secflavor, "lipkey-i"))
166+ data->pseudoflavor = AUTH_GSS_LKEYI;
167+ else if (!strcmp(secflavor, "lipkey-p"))
168+ data->pseudoflavor = AUTH_GSS_LKEYP;
169+ else if (!strcmp(secflavor, "spkm3"))
170+ data->pseudoflavor = AUTH_GSS_SPKM;
171+ else if (!strcmp(secflavor, "spkm3i"))
172+ data->pseudoflavor = AUTH_GSS_SPKMI;
173+ else if (!strcmp(secflavor, "spkm3p"))
174+ data->pseudoflavor = AUTH_GSS_SPKMP;
175+ else if (!sloppy) {
176+ printf(_("Warning: Unrecognized security flavor %s.\n"),
177+ secflavor);
178+ goto bad_parameter;
179+ }
180+ data->flags |= NFS_MOUNT_SECFLAVOUR;
181+#endif
182 } else if (!strcmp(opt, "mounthost"))
183 mounthost=xstrndup(opteq+1,
184 strcspn(opteq+1," \t\n\r,"));
185@@ -745,7 +783,7 @@ nfsmount(const char *spec, const char *n
186 mntres_t mntres;
187
188 struct stat statbuf;
189- char *s, *p;
190+ char *s;
191 int bg, retry;
192 int retval;
193 time_t t;
194@@ -809,6 +847,7 @@ nfsmount(const char *spec, const char *n
195 #if NFS_MOUNT_VERSION >= 2
196 data.namlen = NAME_MAX;
197 #endif
198+ data.pseudoflavor = AUTH_SYS;
199
200 bg = 0;
201 retry = 10000; /* 10000 minutes ~ 1 week */
202@@ -847,6 +886,9 @@ nfsmount(const char *spec, const char *n
203 printf("tcp = %d\n",
204 (data.flags & NFS_MOUNT_TCP) != 0);
205 #endif
206+#if NFS_MOUNT_VERSION >= 5
207+ printf("sec = %u\n", data.pseudoflavor);
208+#endif
209 #endif
210
211 data.version = nfs_mount_version;
212@@ -949,7 +991,9 @@ nfsmount(const char *spec, const char *n
213 #endif
214 } else {
215 #if NFS_MOUNT_VERSION >= 4
216+ mountres3_ok *mountres;
217 fhandle3 *fhandle;
218+ int i, *flavor, yum = 0;
219 if (mntres.nfsv3.fhs_status != 0) {
220 fprintf(stderr,
221 _("mount: %s:%s failed, reason given by server: %s\n"),
222@@ -957,6 +1001,32 @@ nfsmount(const char *spec, const char *n
223 nfs_strerror(mntres.nfsv3.fhs_status));
224 goto fail;
225 }
226+#if NFS_MOUNT_VERSION >= 5
227+ mountres = &mntres.nfsv3.mountres3_u.mountinfo;
228+ i = mountres->auth_flavours.auth_flavours_len;
229+ if (i <= 0)
230+ goto noauth_flavours;
231+
232+ flavor = mountres->auth_flavours.auth_flavours_val;
233+ while (--i >= 0) {
234+ if (flavor[i] == data.pseudoflavor)
235+ yum = 1;
236+#ifdef NFS_MOUNT_DEBUG
237+ printf("auth flavor %d: %d\n",
238+ i, flavor[i]);
239+#endif
240+ }
241+ if (!yum) {
242+ fprintf(stderr,
243+ "mount: %s:%s failed, "
244+ "security flavor not supported\n",
245+ hostname, dirname);
246+ /* server has registered us in mtab, send umount */
247+ nfs_call_umount(&mnt_server, &dirname);
248+ goto fail;
249+ }
250+noauth_flavours:
251+#endif
252 fhandle = &mntres.nfsv3.mountres3_u.mountinfo.fhandle;
253 memset(data.old_root.data, 0, NFS_FHSIZE);
254 memset(&data.root, 0, sizeof(data.root));
255_
This page took 0.078585 seconds and 4 git commands to generate.