From 8a186b2754997ed35f8a88d11457699517dd737c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Fri, 21 Jun 2013 13:01:55 +0200 Subject: [PATCH] Allow CVS server to use any Kerberos key with cvs service name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This removes restriction for host to be equalled to local hostname. Previous pinning to hostname prevented from deploying multiple instances of a CVS server into a cluster where each node has different hostname. Signed-off-by: Petr Písař --- doc/cvs.texinfo | 8 ++++---- src/server.c | 19 +++---------------- 2 files changed, 7 insertions(+), 20 deletions(-) diff --git a/doc/cvs.texinfo b/doc/cvs.texinfo index ad3a414..3c7796a 100644 --- a/doc/cvs.texinfo +++ b/doc/cvs.texinfo @@ -2771,10 +2771,10 @@ an empty @file{CVSROOT/passwd} password file, and set @code{SystemAuth=no} in the config file (@pxref{config}). -The GSSAPI server uses a principal name of -cvs/@var{hostname}, where @var{hostname} is the -canonical name of the server host. You will have to -set this up as required by your GSSAPI mechanism. +The GSSAPI server uses a principal name of cvs/@var{hostname}, where +@var{hostname} can be any name. There is no restriction to canonical +hostname to allow DNS load-balanced clusters. It assumes your GSSAPI +mechanism can select a key with a host name matching client's request. To connect using GSSAPI, use the @samp{:gserver:} method. For example, diff --git a/src/server.c b/src/server.c index 0505ab9..586b5da 100644 --- a/src/server.c +++ b/src/server.c @@ -6168,9 +6168,7 @@ error 0 kerberos: can't get local name: %s\n", krb_get_err_text(status)); static void gserver_authenticate_connection () { - char hostname[MAXHOSTNAMELEN]; char hbuf[1025]; - struct addrinfo hints, *res0; gss_buffer_desc tok_in, tok_out; char buf[1024]; char *credbuf; @@ -6181,23 +6179,12 @@ gserver_authenticate_connection () int nbytes; gss_OID mechid; - gethostname (hostname, sizeof hostname); - hostname[sizeof(hostname)-1] = '\0'; - memset (&hints, 0, sizeof(hints)); - hints.ai_family = af; - hints.ai_socktype = SOCK_STREAM; - hints.ai_flags = AI_CANONNAME; - if (getaddrinfo (hostname, NULL, &hints, &res0)) - error (1, 0, "can't get canonical hostname"); - - sprintf (buf, "cvs@%s", res0->ai_canonname); - freeaddrinfo (res0); - tok_in.value = buf; - tok_in.length = strlen (buf); + tok_in.value = "cvs"; + tok_in.length = strlen (tok_in.value); if (gss_import_name (&stat_min, &tok_in, GSS_C_NT_HOSTBASED_SERVICE, &server_name) != GSS_S_COMPLETE) - error (1, 0, "could not import GSSAPI service name %s", buf); + error (1, 0, "could not import GSSAPI service name %s", tok_in.value); /* Acquire the server credential to verify the client's authentication. */ -- 1.8.1.4