nfs-utils: Add support to svcgssd to limit the negotiated enctypes
authorKevin Coffman <kwc@citi.umich.edu>
Wed, 6 Apr 2011 15:25:03 +0000 (11:25 -0400)
committerSteve Dickson <steved@redhat.com>
Wed, 6 Apr 2011 15:30:02 +0000 (11:30 -0400)
commitd6c1b35c6b40243bfd6fba2591c9f8f2653078c0
tree247e6c2bb3a0c99003c7c006ca15cc28b3a3ffe2
parent73840ef610accf4cf667427bc64805377c0d8394
nfs-utils: Add support to svcgssd to limit the negotiated enctypes

Recent versions of Kerberos libraries negotiate and use
an "acceptor subkey".  This negotiation does not consider
that a service may have limited the encryption keys in its
keytab.  A patch (http://src.mit.edu/fisheye/changelog/krb5/?cs=24603)
has been added to the MIT Kerberos code to allow an application
to indicate that it wants to limit the encryption types negotiated.
(This functionality has been available on the client/initiator
side for a while.  The new patch adds this support to the
server/acceptor side.)

This patch adds support to read a recently added nfsd
proc file to determine the encryption types supported by
the kernel and calls the function to limit encryption
types negotiated for the acceptor subkey.

Signed-off-by: Kevin Coffman <kwc@citi.umich.edu>
Signed-off-by: Steve Dickson <steved@redhat.com>
utils/gssd/Makefile.am
utils/gssd/gss_util.c
utils/gssd/svcgssd.c
utils/gssd/svcgssd_krb5.c [new file with mode: 0644]
utils/gssd/svcgssd_krb5.h [new file with mode: 0644]
utils/gssd/svcgssd_proc.c