[Announce] gssproxy v0.3.1 available
by Günther Deschner
====================
Release Announcement
====================
Today, gssproxy 0.3.1 has been released.
Major enhancements in gssproxy 0.3.1 include:
o Fix use of gssproxy for client initiation
o Add new enforcing and filtering options for context initialization
o Fix potential thread safety issues
Changes since 0.3.0:
--------------------
o Günther Deschner (1):
* Change version to 0.3.1
o Simo Sorce (14):
* Preserve requested flags and lifetime
* Add way to return regular oid from special
* Fix calling gpm_inquire_cred_by_mech
* Fix continuations in context establishment calls
* Autoinitialize creds on init_sec_context
* Try impersonation even when a name is not provided
* config: Add code to source flag filters
* server: Implement flag filtering enforcement
* man: Describe new flag filtering/enforcing options
* config: Do not modify const strings
* creds: Allow admins to define only client creds
* Use secure_getenv in client and mechglue module
* Add Thread-safe implementation of strerror()
* Use gp_strerror() everywhere instead of strerror()
=======================================
Reporting bugs & Development Discussion
=======================================
Please discuss this release on the gssproxy mailing list or by
joining the #gssproxy IRC channel on irc.freenode.net.
All bugs should be reported in the gssproxy trac instance:
https://fedorahosted.org/gss-proxy/report
================
Download Details
================
The source code can be downloaded from:
https://fedorahosted.org/gss-proxy/wiki/Releases
The release notes are available online at:
https://fedorahosted.org/gss-proxy/wiki/Releases/v0.3.1
--
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner(a)redhat.com
Samba Team gd(a)samba.org
10 years
[PATCHES] #111 strerror() thread-safety
by Simo Sorce
Turns out just using strerror_r() is not so easy.
The attached patch should properly address the issue.
Please review very carefully.
I did a smoke test and it worked fine.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
10 years
[PATCH] Fix for #109 (filtering request flags)
by Simo Sorce
Add filtering flags to enforce client behavior.
This is need to prevent clients to disclose TGTs by forwarding them.
By default forwarding credentials via gssproxy is disabled.
Tested with libssh and working.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
10 years
[PATCHES] Improve credentials handling for init_sec_context
by Simo Sorce
RFC
(patches are untested!)
If a client tries to call init_sec_context directly without explicitly
acquiring credentials first, try to see if we can automatically acquire
credentials on our own.
This will work only in some cases, when impersonation is allowed or when
a client keytab is available for the matching uid.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
10 years
[PATCH] Fix for #108
by Simo Sorce
This patch properly implements handling continuations.
This is now possible because MIT kerberos allows exporting partially
established contexts.
However it does not (yet ?) allow inquiring a partially established
context, so we need to handle the case where inquiring fails.
Also make sure GSS_S_CONTINUE_NEEDED is not lost both in the init and
accept cases.
Found by testing libssh, tested and working.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
10 years
[PATCHES] Fix gssproxy to work with ssh
by Simo Sorce
While testing gssproxy in conjunction with libssh and it's examples I
have discovered 2 glaring issues in the interposer.
1. We were 'forgetting' to send to the gssproxy the requested flags and
lifetime when initializing a context ... oops!
2. We passed an internal special oid to client mechglue functions that
should only see real oids, this cause gss_inquire_creds_by_mech to fail
as internally the mechanism wouldn't match and we'd return an error.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
10 years
