Apply patch from Ian.Baker@cern.ch:

Optional GSS-API Functionality.

This patch implements mutual authentication, out of sequence and
replay detection using the GSS-API.  The changes implemented are
optional and are turned off by default.

This option is specified to the client through an environment variable
as is the name of the server principal to authenticate.  Currently
the server principal can be left unspecified and a default based on
the host keytab will be used.

This option is specified to the daemon through a command line option,
with the name of the principal whose credentials the daemon should
use specified as an environment variable.  A simple handshake is
exchanged between the client and server in order to prevent
unecessary delays and protocol derailments when mixing authenticating
and non-authenticating clients and servers.

Revised based on review comments.
GSS-API authentication is now implemented as a per host option.

Revised further by me (Fergus Henderson) to fix a spelling error
and to rename the per host option from ",gssapi" to ",auth".

1 files changed, 4 insertions, 2 deletions

diff --git a/src/clirpc.c b/src/clirpc.c
index bacbfad..30ce99f 100644
--- a/src/clirpc.c
+++ b/src/clirpc.c
@@ -114,8 +114,10 @@ int dcc_r_result_header(int ifd,
     if ((ret = dcc_r_token_int(ifd, "DONE", &vers)))
         rs_log_error("server provided no answer. "
                      "Is the server configured to allow access from your IP"
-                     " address? Does the server have the compiler installed?"
-                     " Is the server configured to access the compiler?");
+                     " address? Is the server performing authentication and"
+                     " your client isn't? Does the server have the compiler"
+                     " installed? Is the server configured to access the"
+                     " compiler?");
         return ret;
 
     if (vers != expect_ver) {