From 8a186b2754997ed35f8a88d11457699517dd737c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 21 Jun 2013 13:01:55 +0200
Subject: [PATCH] Allow CVS server to use any Kerberos key with cvs service
name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This removes restriction for host to be equalled to local hostname.
Previous pinning to hostname prevented from deploying multiple
instances of a CVS server into a cluster where each node has different
hostname.
<https://bugzilla.redhat.com/show_bug.cgi?id=671460>
<https://bugzilla.redhat.com/show_bug.cgi?id=722972>
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
doc/cvs.texinfo | 8 ++++----
src/server.c | 19 +++----------------
2 files changed, 7 insertions(+), 20 deletions(-)
diff --git a/doc/cvs.texinfo b/doc/cvs.texinfo
index ad3a414..3c7796a 100644
--- a/doc/cvs.texinfo
+++ b/doc/cvs.texinfo
@@ -2771,10 +2771,10 @@ an empty @file{CVSROOT/passwd} password file, and set
@code{SystemAuth=no} in the config file
(@pxref{config}).
-The GSSAPI server uses a principal name of
-cvs/@var{hostname}, where @var{hostname} is the
-canonical name of the server host. You will have to
-set this up as required by your GSSAPI mechanism.
+The GSSAPI server uses a principal name of cvs/@var{hostname}, where
+@var{hostname} can be any name. There is no restriction to canonical
+hostname to allow DNS load-balanced clusters. It assumes your GSSAPI
+mechanism can select a key with a host name matching client's request.
To connect using GSSAPI, use the @samp{:gserver:} method. For
example,
diff --git a/src/server.c b/src/server.c
index 0505ab9..586b5da 100644
--- a/src/server.c
+++ b/src/server.c
@@ -6168,9 +6168,7 @@ error 0 kerberos: can't get local name: %s\n", krb_get_err_text(status));
static void
gserver_authenticate_connection ()
{
- char hostname[MAXHOSTNAMELEN];
char hbuf[1025];
- struct addrinfo hints, *res0;
gss_buffer_desc tok_in, tok_out;
char buf[1024];
char *credbuf;
@@ -6181,23 +6179,12 @@ gserver_authenticate_connection ()
int nbytes;
gss_OID mechid;
- gethostname (hostname, sizeof hostname);
- hostname[sizeof(hostname)-1] = '\0';
- memset (&hints, 0, sizeof(hints));
- hints.ai_family = af;
- hints.ai_socktype = SOCK_STREAM;
- hints.ai_flags = AI_CANONNAME;
- if (getaddrinfo (hostname, NULL, &hints, &res0))
- error (1, 0, "can't get canonical hostname");
-
- sprintf (buf, "cvs@%s", res0->ai_canonname);
- freeaddrinfo (res0);
- tok_in.value = buf;
- tok_in.length = strlen (buf);
+ tok_in.value = "cvs";
+ tok_in.length = strlen (tok_in.value);
if (gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE,
&server_name) != GSS_S_COMPLETE)
- error (1, 0, "could not import GSSAPI service name %s", buf);
+ error (1, 0, "could not import GSSAPI service name %s", tok_in.value);
/* Acquire the server credential to verify the client's
authentication. */
--
1.8.1.4