A NFS client should be able to work properly even if the DNS Reverse
record for the server is not set. This means a DNS lookup should not be
done on server names at are passed to GSSAPI. This patch changes the default
behavior to no longer do those types of lookups
This change default behavior could negatively impact some current
environments, so the -D option is also being added that will re-enable
the DNS reverse looks on server names, which are passed to GSSAPI.
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
gss_krb5_set_allowable_enctypes(min, cred, num, types)
#endif
gss_krb5_set_allowable_enctypes(min, cred, num, types)
#endif
#endif /* _GSS_UTIL_H_ */
#endif /* _GSS_UTIL_H_ */
static void
usage(char *progname)
{
static void
usage(char *progname)
{
- fprintf(stderr, "usage: %s [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm]\n",
+ fprintf(stderr, "usage: %s [-f] [-l] [-M] [-n] [-v] [-r] [-p pipefsdir] [-k keytab] [-d ccachedir] [-t timeout] [-R preferred realm] [-D]\n",
char *progname;
memset(ccachesearch, 0, sizeof(ccachesearch));
char *progname;
memset(ccachesearch, 0, sizeof(ccachesearch));
- while ((opt = getopt(argc, argv, "fvrlmnMp:k:d:t:R:")) != -1) {
+ while ((opt = getopt(argc, argv, "DfvrlmnMp:k:d:t:R:")) != -1) {
switch (opt) {
case 'f':
fg = 1;
switch (opt) {
case 'f':
fg = 1;
errx(1, "Encryption type limits not supported by Kerberos libraries.");
#endif
break;
errx(1, "Encryption type limits not supported by Kerberos libraries.");
#endif
break;
+ case 'D':
+ avoid_dns = 0;
+ break;
default:
usage(argv[0]);
break;
default:
usage(argv[0]);
break;
rpc.gssd \- RPCSEC_GSS daemon
.SH SYNOPSIS
.B rpc.gssd
rpc.gssd \- RPCSEC_GSS daemon
.SH SYNOPSIS
.B rpc.gssd
.RB [ \-k
.IR keytab ]
.RB [ \-p
.RB [ \-k
.IR keytab ]
.RB [ \-p
.BR rpc.gssd .
.SH OPTIONS
.TP
.BR rpc.gssd .
.SH OPTIONS
.TP
+.B -D
+DNS Reverse lookups are not used for determining the
+server names pass to GSSAPI. This option will reverses that and forces
+the use of DNS Reverse resolution of the server's IP address to
+retrieve the server name to use in GSAPI authentication.
+.TP
#include <errno.h>
#include <gssapi/gssapi.h>
#include <netdb.h>
#include <errno.h>
#include <gssapi/gssapi.h>
#include <netdb.h>
#include "gssd.h"
#include "err_util.h"
#include "gssd.h"
#include "err_util.h"
unsigned long pollsize; /* the size of pollaray (in pollfd's) */
unsigned long pollsize; /* the size of pollaray (in pollfd's) */
+/* Avoid DNS reverse lookups on server names */
+int avoid_dns = 1;
+
/*
* convert a presentation address string to a sockaddr_storage struct. Returns
* true on success or false on failure.
/*
* convert a presentation address string to a sockaddr_storage struct. Returns
* true on success or false on failure.
* convert a sockaddr to a hostname
*/
static char *
* convert a sockaddr to a hostname
*/
static char *
-sockaddr_to_hostname(const struct sockaddr *sa, const char *addr)
+get_servername(const char *name, const struct sockaddr *sa, const char *addr)
{
socklen_t addrlen;
int err;
char *hostname;
char hbuf[NI_MAXHOST];
{
socklen_t addrlen;
int err;
char *hostname;
char hbuf[NI_MAXHOST];
+ unsigned char buf[sizeof(struct in6_addr)];
+ int servername = 0;
+
+ if (avoid_dns) {
+ /*
+ * Determine if this is a server name, or an IP address.
+ * If it is an IP address, do the DNS lookup otherwise
+ * skip the DNS lookup.
+ */
+ servername = 0;
+ if (strchr(name, '.') && inet_pton(AF_INET, name, buf) == 1)
+ servername = 1; /* IPv4 */
+ else if (strchr(name, ':') && inet_pton(AF_INET6, name, buf) == 1)
+ servername = 1; /* or IPv6 */
+
+ if (servername) {
+ return strdup(name);
+ }
+ }
switch (sa->sa_family) {
case AF_INET:
switch (sa->sa_family) {
case AF_INET:
struct sockaddr *addr) {
#define INFOBUFLEN 256
char buf[INFOBUFLEN + 1];
struct sockaddr *addr) {
#define INFOBUFLEN 256
char buf[INFOBUFLEN + 1];
- static char dummy[128];
+ static char server[128];
int nbytes;
static char service[128];
static char address[128];
int nbytes;
static char service[128];
static char address[128];
"service: %127s %15s version %15s\n"
"address: %127s\n"
"protocol: %15s\n",
"service: %127s %15s version %15s\n"
"address: %127s\n"
"protocol: %15s\n",
service, program, version,
address,
protoname);
service, program, version,
address,
protoname);
if (!addrstr_to_sockaddr(addr, address, port))
goto fail;
if (!addrstr_to_sockaddr(addr, address, port))
goto fail;
- *servername = sockaddr_to_hostname(addr, address);
+ *servername = get_servername(server, addr, address);
if (*servername == NULL)
goto fail;
if (*servername == NULL)
goto fail;