From owner-svn-src-user@FreeBSD.ORG Mon Nov 10 16:37:03 2008 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 883481065686; Mon, 10 Nov 2008 16:37:03 +0000 (UTC) (envelope-from dfr@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 7292A8FC1E; Mon, 10 Nov 2008 16:37:03 +0000 (UTC) (envelope-from dfr@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id mAAGb3GR074715; Mon, 10 Nov 2008 16:37:03 GMT (envelope-from dfr@svn.freebsd.org) Received: (from dfr@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id mAAGb39Q074711; Mon, 10 Nov 2008 16:37:03 GMT (envelope-from dfr@svn.freebsd.org) Message-Id: <200811101637.mAAGb39Q074711@svn.freebsd.org> From: Doug Rabson Date: Mon, 10 Nov 2008 16:37:03 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org X-SVN-Group: user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r184814 - in user/dfr/gssapi/6/usr.sbin: . adduser cdcontrol config cron freebsd-update gssd mountd newsyslog nfsd ntp ntp/doc pkg_install portsnap pw rpc.lockd rpc.statd sysinstall sys... X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2008 16:37:03 -0000 Author: dfr Date: Mon Nov 10 16:37:03 2008 New Revision: 184814 URL: http://svn.freebsd.org/changeset/base/184814 Log: MFC: 184588 Added: user/dfr/gssapi/6/usr.sbin/gssd/ - copied from r184588, head/usr.sbin/gssd/ Modified: user/dfr/gssapi/6/usr.sbin/ (props changed) user/dfr/gssapi/6/usr.sbin/Makefile user/dfr/gssapi/6/usr.sbin/adduser/ (props changed) user/dfr/gssapi/6/usr.sbin/cdcontrol/ (props changed) user/dfr/gssapi/6/usr.sbin/config/ (props changed) user/dfr/gssapi/6/usr.sbin/cron/ (props changed) user/dfr/gssapi/6/usr.sbin/freebsd-update/ (props changed) user/dfr/gssapi/6/usr.sbin/mountd/ (props changed) user/dfr/gssapi/6/usr.sbin/mountd/exports.5 user/dfr/gssapi/6/usr.sbin/mountd/mountd.c user/dfr/gssapi/6/usr.sbin/newsyslog/newsyslog.conf.5 (props changed) user/dfr/gssapi/6/usr.sbin/nfsd/nfsd.c user/dfr/gssapi/6/usr.sbin/ntp/ (props changed) user/dfr/gssapi/6/usr.sbin/ntp/doc/ (props changed) user/dfr/gssapi/6/usr.sbin/pkg_install/ (props changed) user/dfr/gssapi/6/usr.sbin/portsnap/ (props changed) user/dfr/gssapi/6/usr.sbin/pw/ (props changed) user/dfr/gssapi/6/usr.sbin/rpc.lockd/ (props changed) user/dfr/gssapi/6/usr.sbin/rpc.statd/ (props changed) user/dfr/gssapi/6/usr.sbin/sysinstall/ (props changed) user/dfr/gssapi/6/usr.sbin/syslogd/ (props changed) user/dfr/gssapi/6/usr.sbin/tzsetup/ (props changed) Modified: user/dfr/gssapi/6/usr.sbin/Makefile ============================================================================== --- user/dfr/gssapi/6/usr.sbin/Makefile Mon Nov 10 16:23:24 2008 (r184813) +++ user/dfr/gssapi/6/usr.sbin/Makefile Mon Nov 10 16:37:03 2008 (r184814) @@ -62,6 +62,7 @@ SUBDIR= ac \ getpmac \ gstat \ ${_i4b} \ + ${_gssd} \ ifmcstat \ inetd \ iostat \ @@ -235,6 +236,10 @@ _bluetooth= bluetooth _keyserv= keyserv .endif +.if ${MK_GSSAPI} != no +_gssd= gssd +.endif + .if !defined(NO_INET6) _mld6query= mld6query _rip6query= rip6query Modified: user/dfr/gssapi/6/usr.sbin/mountd/exports.5 ============================================================================== --- user/dfr/gssapi/6/usr.sbin/mountd/exports.5 Mon Nov 10 16:23:24 2008 (r184813) +++ user/dfr/gssapi/6/usr.sbin/mountd/exports.5 Mon Nov 10 16:37:03 2008 (r184814) @@ -149,6 +149,17 @@ option is given, all users (including root) will be mapped to that credential in place of their own. .Pp +.Sm off +.Fl sec Li = Sy flavor1:flavor2... +.Sm on +specifies a colon separated list of acceptable security flavors to be +used for remote access. +Supported security flavors are sys, krb5, krb5i and krb5p. +If multiple flavors are listed, they should be ordered with the most +preferred flavor first. +If this option is not present, +the default security flavor list of just sys is used. +.Pp The .Fl ro option specifies that the file system should be exported read-only @@ -305,6 +316,8 @@ the default remote mount-point file /u2 -maproot=root friends /u2 -alldirs -network cis-net -mask cis-mask /cdrom -alldirs,quiet,ro -network 192.168.33.0 -mask 255.255.255.0 +/private -sec=krb5i +/secret -sec=krb5p .Ed .Pp Given that @@ -411,6 +424,15 @@ While there is no CD-ROM medium mounted it would export the (normally empty) directory .Pa /cdrom of the root file system instead. +.Pp +The file system rooted at +.Pa /private +will be exported using Kerberos 5 authentication and will require +integrity protected messages for all accesses. +The file system rooted at +.Pa /secret +will also be exported using Kerberos 5 authentication and all messages +used to access it will be encrypted. .Sh SEE ALSO .Xr netgroup 5 , .Xr mountd 8 , Modified: user/dfr/gssapi/6/usr.sbin/mountd/mountd.c ============================================================================== --- user/dfr/gssapi/6/usr.sbin/mountd/mountd.c Mon Nov 10 16:23:24 2008 (r184813) +++ user/dfr/gssapi/6/usr.sbin/mountd/mountd.c Mon Nov 10 16:37:03 2008 (r184814) @@ -113,6 +113,8 @@ struct exportlist { fsid_t ex_fs; char *ex_fsdir; char *ex_indexfile; + int ex_numsecflavors; + int ex_secflavors[MAXSECFLAVORS]; }; /* ex_flag bits */ #define EX_LINKED 0x1 @@ -150,6 +152,8 @@ struct fhreturn { int fhr_flag; int fhr_vers; nfsfh_t fhr_fh; + int fhr_numsecflavors; + int *fhr_secflavors; }; /* Global defs */ @@ -239,6 +243,7 @@ struct pidfh *pfh = NULL; #define OP_HAVEMASK 0x80 /* A mask was specified or inferred. */ #define OP_QUIET 0x100 #define OP_MASKLEN 0x200 +#define OP_SEC 0x400 #ifdef DEBUG int debug = 1; @@ -817,6 +822,8 @@ mntsrv(rqstp, transp) sigprocmask(SIG_UNBLOCK, &sighup_mask, NULL); return; } + fhr.fhr_numsecflavors = ep->ex_numsecflavors; + fhr.fhr_secflavors = ep->ex_secflavors; if (!svc_sendreply(transp, (xdrproc_t)xdr_fhs, (caddr_t)&fhr)) syslog(LOG_ERR, "can't send reply"); @@ -934,6 +941,7 @@ xdr_fhs(xdrsp, cp) { struct fhreturn *fhrp = (struct fhreturn *)cp; u_long ok = 0, len, auth; + int i; if (!xdr_long(xdrsp, &ok)) return (0); @@ -946,11 +954,20 @@ xdr_fhs(xdrsp, cp) return (0); if (!xdr_opaque(xdrsp, (caddr_t)&fhrp->fhr_fh, len)) return (0); - auth = RPCAUTH_UNIX; - len = 1; - if (!xdr_long(xdrsp, &len)) - return (0); - return (xdr_long(xdrsp, &auth)); + if (fhrp->fhr_numsecflavors) { + if (!xdr_int(xdrsp, &fhrp->fhr_numsecflavors)) + return (0); + for (i = 0; i < fhrp->fhr_numsecflavors; i++) + if (!xdr_int(xdrsp, &fhrp->fhr_secflavors[i])) + return (0); + return (1); + } else { + auth = AUTH_SYS; + len = 1; + if (!xdr_long(xdrsp, &len)) + return (0); + return (xdr_long(xdrsp, &auth)); + } }; return (0); } @@ -1744,6 +1761,57 @@ free_dir(dp) } /* + * Parse a colon separated list of security flavors + */ +int +parsesec(seclist, ep) + char *seclist; + struct exportlist *ep; +{ + char *cp, savedc; + int flavor; + + ep->ex_numsecflavors = 0; + for (;;) { + cp = strchr(seclist, ':'); + if (cp) { + savedc = *cp; + *cp = '\0'; + } + + if (!strcmp(seclist, "sys")) + flavor = AUTH_SYS; + else if (!strcmp(seclist, "krb5")) + flavor = RPCSEC_GSS_KRB5; + else if (!strcmp(seclist, "krb5i")) + flavor = RPCSEC_GSS_KRB5I; + else if (!strcmp(seclist, "krb5p")) + flavor = RPCSEC_GSS_KRB5P; + else { + if (cp) + *cp = savedc; + syslog(LOG_ERR, "bad sec flavor: %s", seclist); + return (1); + } + if (ep->ex_numsecflavors == MAXSECFLAVORS) { + if (cp) + *cp = savedc; + syslog(LOG_ERR, "too many sec flavors: %s", seclist); + return (1); + } + ep->ex_secflavors[ep->ex_numsecflavors] = flavor; + ep->ex_numsecflavors++; + if (cp) { + *cp = savedc; + seclist = cp + 1; + } else { + break; + } + } + return (0); +} + +/* * Parse the option string and update fields. * Option arguments may either be -