[cvs/f17] Allow CVS server to use any Kerberos key with cvs service name

Petr Pisar ppisar at fedoraproject.org
Wed Jun 26 10:20:11 UTC 2013 

commit a31692bb1020571a05c55f8f5537eabea623d01e
Author: Petr Písař <ppisar at redhat.com>
Date:   Wed Jun 26 11:08:45 2013 +0200

    Allow CVS server to use any Kerberos key with cvs service name

 ...erver-to-use-any-Kerberos-key-with-cvs-se.patch |   86 ++++++++++++++++++++
 ...-IP-address-instead-of-hostname-to-GSSAPI.patch |   70 ----------------
 cvs.spec                                           |   11 ++-
 3 files changed, 94 insertions(+), 73 deletions(-)
---
diff --git a/cvs-1.11.23-Allow-CVS-server-to-use-any-Kerberos-key-with-cvs-se.patch b/cvs-1.11.23-Allow-CVS-server-to-use-any-Kerberos-key-with-cvs-se.patch
new file mode 100644
index 0000000..5b3e595
--- /dev/null
+++ b/cvs-1.11.23-Allow-CVS-server-to-use-any-Kerberos-key-with-cvs-se.patch
@@ -0,0 +1,86 @@
+From 8a186b2754997ed35f8a88d11457699517dd737c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Fri, 21 Jun 2013 13:01:55 +0200
+Subject: [PATCH] Allow CVS server to use any Kerberos key with cvs service
+ name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This removes restriction for host to be equalled to local hostname.
+Previous pinning to hostname prevented from deploying multiple
+instances of a CVS server into a cluster where each node has different
+hostname.
+
+<https://bugzilla.redhat.com/show_bug.cgi?id=671460>
+<https://bugzilla.redhat.com/show_bug.cgi?id=722972>
+
+Signed-off-by: Petr Písař <ppisar at redhat.com>
+---
+ doc/cvs.texinfo |  8 ++++----
+ src/server.c    | 19 +++----------------
+ 2 files changed, 7 insertions(+), 20 deletions(-)
+
+diff --git a/doc/cvs.texinfo b/doc/cvs.texinfo
+index ad3a414..3c7796a 100644
+--- a/doc/cvs.texinfo
++++ b/doc/cvs.texinfo
+@@ -2771,10 +2771,10 @@ an empty @file{CVSROOT/passwd} password file, and set
+ @code{SystemAuth=no} in the config file
+ (@pxref{config}).
+ 
+-The GSSAPI server uses a principal name of
+-cvs/@var{hostname}, where @var{hostname} is the
+-canonical name of the server host.  You will have to
+-set this up as required by your GSSAPI mechanism.
++The GSSAPI server uses a principal name of cvs/@var{hostname}, where
++ at var{hostname} can be any name.  There is no restriction to canonical
++hostname to allow DNS load-balanced clusters.  It assumes your GSSAPI
++mechanism can select a key with a host name matching client's request.
+ 
+ To connect using GSSAPI, use the @samp{:gserver:} method.  For
+ example,
+diff --git a/src/server.c b/src/server.c
+index 0505ab9..586b5da 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -6168,9 +6168,7 @@ error 0 kerberos: can't get local name: %s\n", krb_get_err_text(status));
+ static void
+ gserver_authenticate_connection ()
+ {
+-    char hostname[MAXHOSTNAMELEN];
+     char hbuf[1025];
+-    struct addrinfo hints, *res0;
+     gss_buffer_desc tok_in, tok_out;
+     char buf[1024];
+     char *credbuf;
+@@ -6181,23 +6179,12 @@ gserver_authenticate_connection ()
+     int nbytes;
+     gss_OID mechid;
+ 
+-    gethostname (hostname, sizeof hostname);
+-    hostname[sizeof(hostname)-1] = '\0';
+-    memset (&hints, 0, sizeof(hints));
+-    hints.ai_family = af;
+-    hints.ai_socktype = SOCK_STREAM;
+-    hints.ai_flags = AI_CANONNAME;
+-    if (getaddrinfo (hostname, NULL, &hints, &res0))
+-	error (1, 0, "can't get canonical hostname");
+-
+-    sprintf (buf, "cvs@%s", res0->ai_canonname);
+-    freeaddrinfo (res0);
+-    tok_in.value = buf;
+-    tok_in.length = strlen (buf);
++    tok_in.value = "cvs";
++    tok_in.length = strlen (tok_in.value);
+ 
+     if (gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE,
+ 			 &server_name) != GSS_S_COMPLETE)
+-	error (1, 0, "could not import GSSAPI service name %s", buf);
++	error (1, 0, "could not import GSSAPI service name %s", tok_in.value);
+ 
+     /* Acquire the server credential to verify the client's
+        authentication.  */
+-- 
+1.8.1.4
+
diff --git a/cvs.spec b/cvs.spec
index eb397e5..1564b92 100644
--- a/cvs.spec
+++ b/cvs.spec
@@ -5,7 +5,7 @@
 
 Name: cvs
 Version: 1.11.23
-Release: 27%{?dist}
+Release: 28%{?dist}
 Summary: Concurrent Versions System
 Group: Development/Tools
 URL: http://cvs.nongnu.org/
@@ -63,7 +63,7 @@ Patch24: cvs-1.11.23-make_make_check_sanity_testing_verbose.patch
 Patch25: cvs-1.11.23-Set-PAM_TTY-and-PAM_RHOST-on-PAM-authentication.patch
 Patch26: cvs-1.11.23-Back-port-KeywordExpand-configuration-keyword.patch
 # bug #722972
-Patch27: cvs-1.11.23-Pass-server-IP-address-instead-of-hostname-to-GSSAPI.patch
+Patch27: cvs-1.11.23-Allow-CVS-server-to-use-any-Kerberos-key-with-cvs-se.patch
 # CVE-2012-0804, bug #787683
 Patch28: cvs-1.11.23-Fix-proxy-response-parser.patch
 # Correct texinfo syntax, bug #970716, submitted to upstream as bug #39166
@@ -153,7 +153,7 @@ pages in PDF.
 %patch24 -p1 -b .verbose_sanity
 %patch25 -p1 -b .set_pam_rhost
 %patch26 -p1 -b .keywordexpand
-%patch27 -p1 -b .gssapi_dns
+%patch27 -p1 -b .krb_no_hostname
 %patch28 -p1 -b .proxy_response_parser
 %patch29 -p1 -b .texinfo_sp
 %patch30 -p1 -b .null_crypt
@@ -265,6 +265,11 @@ fi
 
 
 %changelog
+* Wed Jun 26 2013 Petr Pisar <ppisar at redhat.com> - 1.11.23-28
+- Allow CVS server to use any Kerberos key with cvs service name. This reverts
+  canonicalization on clite side introduced with 1.11.23-20 and replaces it
+  with a more benevolent key selection on server side. (bug #722972)
+
 * Wed Jun 05 2013 Petr Pisar <ppisar at redhat.com> - 1.11.23-27
 - Fix texinfo documentation to work with texinfo-5.1 (bug #970716)
 - Do not crash if crypt(3) returns NULL (bug #966497)

More information about the scm-commits mailing list