diff options
| author | fergus.henderson <fergushenderson@users.noreply.github.com> | 2009-07-23 02:16:18 +0000 |
|---|---|---|
| committer | fergus.henderson <fergushenderson@users.noreply.github.com> | 2009-07-23 02:16:18 +0000 |
| commit | 8a5f0e583a3593803c41ef0719d78e79c38cbcec (patch) | |
| tree | f7f781c1b4a4e47775b6b692b7b4e148fa79ea8d /src/auth.h | |
| parent | 12f786698f9be16fc9d0b76373665c87ab5df5ac (diff) | |
| download | distcc-git-8a5f0e583a3593803c41ef0719d78e79c38cbcec.tar.gz | |
Apply patch from Ian.Baker@cern.ch:
Optional GSS-API Functionality.
This patch implements mutual authentication, out of sequence and
replay detection using the GSS-API. The changes implemented are
optional and are turned off by default.
This option is specified to the client through an environment variable
as is the name of the server principal to authenticate. Currently
the server principal can be left unspecified and a default based on
the host keytab will be used.
This option is specified to the daemon through a command line option,
with the name of the principal whose credentials the daemon should
use specified as an environment variable. A simple handshake is
exchanged between the client and server in order to prevent
unecessary delays and protocol derailments when mixing authenticating
and non-authenticating clients and servers.
Revised based on review comments.
GSS-API authentication is now implemented as a per host option.
Revised further by me (Fergus Henderson) to fix a spelling error
and to rename the per host option from ",gssapi" to ",auth".
Diffstat (limited to 'src/auth.h')
| -rw-r--r-- | src/auth.h | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/src/auth.h b/src/auth.h new file mode 100644 index 0000000..a0d6b05 --- /dev/null +++ b/src/auth.h @@ -0,0 +1,42 @@ +/* Copyright (C) 2008 CERN + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. + */ + +/* Author: Ian Baker */ + +#include <gssapi/gssapi.h> + +/* Handshake exchange character. */ +#define HANDSHAKE '*' +/* Notification of server access. */ +#define ACCESS 'y' +/* Notification of server access denied. */ +#define NO_ACCESS 'n' + +int dcc_gssapi_acquire_credentials(void); +void dcc_gssapi_release_credentials(void); +int dcc_gssapi_check_client(int to_net_fd, int from_net_fd); +int dcc_gssapi_perform_requested_security(int to_net_fd, + int from_net_fd); +void dcc_gssapi_status_to_log(OM_uint32 status_code, int status_type); +void dcc_gssapi_cleanup(gss_buffer_desc *input_tok, + gss_buffer_desc *output_tok, + gss_name_t *name); +int dcc_gssapi_compare_flags(OM_uint32 req_flags, OM_uint32 ret_flags); +void dcc_gssapi_delete_ctx(gss_ctx_id_t *ctx_handle); +int send_token(int sd, gss_buffer_t token); +int recv_token(int sd, gss_buffer_t token); |