[PATCH 11/28] Add new pipefs file indicating which Kerberos enctypes the kernel supports
Kevin Coffman
kwc at citi.umich.edu
Mon Mar 31 12:51:23 EDT 2008
On Mon, Mar 31, 2008 at 11:47 AM, Chuck Lever <chuck.lever at oracle.com> wrote:
>
>
> On Mar 31, 2008, at 10:31 AM, Kevin Coffman wrote:
> > New file, krb5_info, indicates which Kerberos encryption types are
> > supported by the kernel rpcsecgss code. This is used by gssd to
> > determine which encryption types it should attempt to negotiate
> > when creating a context with a server.
> >
> > The server principal's database and keytab encryption types are
> > what limits what it should negotiate. Therefore, its keytab
> > should be created with only the enctypes listed by this file.
> >
> > From: J. Bruce Fields <bfields at citi.umich.edu>
> > Signed-off-by: Kevin Coffman <kwc at citi.umich.edu>
> > ---
> >
> > net/sunrpc/rpc_pipe.c | 31 +++++++++++++++++++++++++++++++
> > 1 files changed, 31 insertions(+), 0 deletions(-)
> >
> > diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
> > index 1b395a4..a006f9f 100644
> > --- a/net/sunrpc/rpc_pipe.c
> > +++ b/net/sunrpc/rpc_pipe.c
> > @@ -385,6 +385,31 @@ static const struct file_operations
> > rpc_info_operations = {
> > .release = rpc_info_release,
> > };
> >
> > +/*
> > + * This really belongs in the gss_krb5 code,
> > + * but the info file logically belongs here
> > + */
> > +static int
> > +rpc_show_krb5_info(struct seq_file *m, void *v)
> > +{
> > + seq_printf(m, "enctypes: 3,1,2\n");
> > + return 0;
> > +}
>
> Okay, like, what the hell do these numbers mean? :-) These should
> be generated programmatically rather than hard-coded so we can
> understand exactly what these numbers are and how they are derived.
First, these are the ENCTYPE definition values from the Kerberos specs.
Somewhere we need a list of the supported enctypes. (Since for DES
and DES3 types, serveral krb5 enctypes are mapped to a single enctype
for GSS use, we can't simply use the list of enctypes defined in the
framework.)
"3,1,2" represent ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC, and
ENCTYPE_DES_CBC_MD4. Would you prefer something like the following?
snprintf(buf, sizeof(buf), "enctypes: %d,%d,%d\n",
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_CRC,
ENCTYPE_DES_CBC_MD4);
/* check for buffer truncation */
seq_print(m, buf);
> > +
> > +static int
> > +rpc_krb5_info_open(struct inode *inode, struct file *file)
> > +{
> > + return single_open(file, rpc_show_krb5_info, NULL);
> > +}
> > +
> > +static struct file_operations krb5_info_operations = {
> > + .owner = THIS_MODULE,
> > + .open = rpc_krb5_info_open,
> > + .read = seq_read,
> > + .llseek = seq_lseek,
> > + .release = single_release,
> > +};
> > +
> >
> > /*
> > * We have a single directory with 1 node in it.
> > @@ -396,6 +421,7 @@ enum {
> > RPCAUTH_nfs,
> > RPCAUTH_portmap,
> > RPCAUTH_statd,
> > + RPCAUTH_krb5_info,
> > RPCAUTH_RootEOF
> > };
> >
> > @@ -429,6 +455,11 @@ static struct rpc_filelist files[] = {
> > .name = "statd",
> > .mode = S_IFDIR | S_IRUGO | S_IXUGO,
> > },
> > + [RPCAUTH_krb5_info] = {
> > + .name = "krb5_info",
> > + .i_fop = &krb5_info_operations,
> > + .mode = S_IFREG | S_IRUSR,
> > + },
> > };
> >
> > enum {
>
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
>
>
>
>
More information about the NFSv4
mailing list