[cvs/f17] Allow CVS server to use any Kerberos key with cvs service name
Petr Pisar
ppisar at fedoraproject.org
Wed Jun 26 10:20:11 UTC 2013
commit a31692bb1020571a05c55f8f5537eabea623d01e
Author: Petr Písař <ppisar at redhat.com>
Date: Wed Jun 26 11:08:45 2013 +0200
Allow CVS server to use any Kerberos key with cvs service name
...erver-to-use-any-Kerberos-key-with-cvs-se.patch | 86 ++++++++++++++++++++
...-IP-address-instead-of-hostname-to-GSSAPI.patch | 70 ----------------
cvs.spec | 11 ++-
3 files changed, 94 insertions(+), 73 deletions(-)
---
diff --git a/cvs-1.11.23-Allow-CVS-server-to-use-any-Kerberos-key-with-cvs-se.patch b/cvs-1.11.23-Allow-CVS-server-to-use-any-Kerberos-key-with-cvs-se.patch
new file mode 100644
index 0000000..5b3e595
--- /dev/null
+++ b/cvs-1.11.23-Allow-CVS-server-to-use-any-Kerberos-key-with-cvs-se.patch
@@ -0,0 +1,86 @@
+From 8a186b2754997ed35f8a88d11457699517dd737c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Fri, 21 Jun 2013 13:01:55 +0200
+Subject: [PATCH] Allow CVS server to use any Kerberos key with cvs service
+ name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This removes restriction for host to be equalled to local hostname.
+Previous pinning to hostname prevented from deploying multiple
+instances of a CVS server into a cluster where each node has different
+hostname.
+
+<https://bugzilla.redhat.com/show_bug.cgi?id=671460>
+<https://bugzilla.redhat.com/show_bug.cgi?id=722972>
+
+Signed-off-by: Petr Písař <ppisar at redhat.com>
+---
+ doc/cvs.texinfo | 8 ++++----
+ src/server.c | 19 +++----------------
+ 2 files changed, 7 insertions(+), 20 deletions(-)
+
+diff --git a/doc/cvs.texinfo b/doc/cvs.texinfo
+index ad3a414..3c7796a 100644
+--- a/doc/cvs.texinfo
++++ b/doc/cvs.texinfo
+@@ -2771,10 +2771,10 @@ an empty @file{CVSROOT/passwd} password file, and set
+ @code{SystemAuth=no} in the config file
+ (@pxref{config}).
+
+-The GSSAPI server uses a principal name of
+-cvs/@var{hostname}, where @var{hostname} is the
+-canonical name of the server host. You will have to
+-set this up as required by your GSSAPI mechanism.
++The GSSAPI server uses a principal name of cvs/@var{hostname}, where
++ at var{hostname} can be any name. There is no restriction to canonical
++hostname to allow DNS load-balanced clusters. It assumes your GSSAPI
++mechanism can select a key with a host name matching client's request.
+
+ To connect using GSSAPI, use the @samp{:gserver:} method. For
+ example,
+diff --git a/src/server.c b/src/server.c
+index 0505ab9..586b5da 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -6168,9 +6168,7 @@ error 0 kerberos: can't get local name: %s\n", krb_get_err_text(status));
+ static void
+ gserver_authenticate_connection ()
+ {
+- char hostname[MAXHOSTNAMELEN];
+ char hbuf[1025];
+- struct addrinfo hints, *res0;
+ gss_buffer_desc tok_in, tok_out;
+ char buf[1024];
+ char *credbuf;
+@@ -6181,23 +6179,12 @@ gserver_authenticate_connection ()
+ int nbytes;
+ gss_OID mechid;
+
+- gethostname (hostname, sizeof hostname);
+- hostname[sizeof(hostname)-1] = '\0';
+- memset (&hints, 0, sizeof(hints));
+- hints.ai_family = af;
+- hints.ai_socktype = SOCK_STREAM;
+- hints.ai_flags = AI_CANONNAME;
+- if (getaddrinfo (hostname, NULL, &hints, &res0))
+- error (1, 0, "can't get canonical hostname");
+-
+- sprintf (buf, "cvs@%s", res0->ai_canonname);
+- freeaddrinfo (res0);
+- tok_in.value = buf;
+- tok_in.length = strlen (buf);
++ tok_in.value = "cvs";
++ tok_in.length = strlen (tok_in.value);
+
+ if (gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE,
+ &server_name) != GSS_S_COMPLETE)
+- error (1, 0, "could not import GSSAPI service name %s", buf);
++ error (1, 0, "could not import GSSAPI service name %s", tok_in.value);
+
+ /* Acquire the server credential to verify the client's
+ authentication. */
+--
+1.8.1.4
+
diff --git a/cvs.spec b/cvs.spec
index eb397e5..1564b92 100644
--- a/cvs.spec
+++ b/cvs.spec
@@ -5,7 +5,7 @@
Name: cvs
Version: 1.11.23
-Release: 27%{?dist}
+Release: 28%{?dist}
Summary: Concurrent Versions System
Group: Development/Tools
URL: http://cvs.nongnu.org/
@@ -63,7 +63,7 @@ Patch24: cvs-1.11.23-make_make_check_sanity_testing_verbose.patch
Patch25: cvs-1.11.23-Set-PAM_TTY-and-PAM_RHOST-on-PAM-authentication.patch
Patch26: cvs-1.11.23-Back-port-KeywordExpand-configuration-keyword.patch
# bug #722972
-Patch27: cvs-1.11.23-Pass-server-IP-address-instead-of-hostname-to-GSSAPI.patch
+Patch27: cvs-1.11.23-Allow-CVS-server-to-use-any-Kerberos-key-with-cvs-se.patch
# CVE-2012-0804, bug #787683
Patch28: cvs-1.11.23-Fix-proxy-response-parser.patch
# Correct texinfo syntax, bug #970716, submitted to upstream as bug #39166
@@ -153,7 +153,7 @@ pages in PDF.
%patch24 -p1 -b .verbose_sanity
%patch25 -p1 -b .set_pam_rhost
%patch26 -p1 -b .keywordexpand
-%patch27 -p1 -b .gssapi_dns
+%patch27 -p1 -b .krb_no_hostname
%patch28 -p1 -b .proxy_response_parser
%patch29 -p1 -b .texinfo_sp
%patch30 -p1 -b .null_crypt
@@ -265,6 +265,11 @@ fi
%changelog
+* Wed Jun 26 2013 Petr Pisar <ppisar at redhat.com> - 1.11.23-28
+- Allow CVS server to use any Kerberos key with cvs service name. This reverts
+ canonicalization on clite side introduced with 1.11.23-20 and replaces it
+ with a more benevolent key selection on server side. (bug #722972)
+
* Wed Jun 05 2013 Petr Pisar <ppisar at redhat.com> - 1.11.23-27
- Fix texinfo documentation to work with texinfo-5.1 (bug #970716)
- Do not crash if crypt(3) returns NULL (bug #966497)
More information about the scm-commits
mailing list