1 This patch adds a kerberos authentication method to daemon mode.
3 NOTE: minimally munged to work with 3.1.1, but as yet untested!
5 To use this patch, run these commands for a successful build:
7 patch -p1 <patches/kerberos.diff
12 based-on: fe2ef556d9ef11e5dd549e19a06a7a924f7ddfa1
13 diff --git a/Makefile.in b/Makefile.in
16 @@ -47,7 +47,7 @@ OBJS1=flist.o rsync.o generator.o receiver.o cleanup.o sender.o exclude.o \
17 util.o util2.o main.o checksum.o match.o syscall.o log.o backup.o delete.o
18 OBJS2=options.o io.o compat.o hlink.o token.o uidlist.o socket.o hashtable.o \
19 fileio.o batch.o clientname.o chmod.o acls.o xattrs.o
20 -OBJS3=progress.o pipe.o @ASM@
21 +OBJS3=progress.o pipe.o gss-auth.o @ASM@
22 DAEMON_OBJ = params.o loadparm.o clientserver.o access.o connection.o authenticate.o
23 popt_OBJS=popt/findme.o popt/popt.o popt/poptconfig.o \
24 popt/popthelp.o popt/poptparse.o
25 diff --git a/clientserver.c b/clientserver.c
28 @@ -137,7 +137,7 @@ int start_socket_client(char *host, int remote_argc, char *remote_argv[],
32 - ret = start_inband_exchange(fd, fd, user, remote_argc, remote_argv);
33 + ret = start_inband_exchange(fd, fd, user, host, remote_argc, remote_argv);
35 return ret ? ret : client_run(fd, fd, -1, argc, argv);
37 @@ -214,7 +214,7 @@ static int exchange_protocols(int f_in, int f_out, char *buf, size_t bufsiz, int
41 -int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char *argv[])
42 +int start_inband_exchange(int f_in, int f_out, const char *user, const char *host, int argc, char *argv[])
45 char line[BIGPATHBUFLEN];
46 @@ -329,6 +329,17 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char
50 + if (strcmp(line, "@RSYNCD: GSS") == 0) {
52 + if (auth_gss_client(f_out, host) < 0)
56 + rprintf(FERROR, "GSSAPI is not supported\n");
61 if (strcmp(line,"@RSYNCD: OK") == 0)
64 @@ -685,7 +696,12 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
67 read_only = lp_read_only(i); /* may also be overridden by auth_server() */
68 - auth_user = auth_server(f_in, f_out, i, host, addr, "@RSYNCD: AUTHREQD ");
70 + if (lp_use_gssapi(i))
71 + auth_user = auth_gss_server(f_in, f_out, i, host, addr, "@RSYNCD: GSS");
74 + auth_user = auth_server(f_in, f_out, i, host, addr, "@RSYNCD: AUTHREQD ");
77 io_printf(f_out, "@ERROR: auth failed on module %s\n", name);
78 diff --git a/configure.ac b/configure.ac
81 @@ -918,6 +918,31 @@ if test x"$enable_iconv" != x"no"; then
82 AC_DEFINE(UTF8_CHARSET, "UTF-8", [String to pass to iconv() for the UTF-8 charset.])
85 +AC_ARG_WITH([gssapi],
86 + [AS_HELP_STRING([--with-gssapi],
87 + [support GSSAPI authentication @<:@default=check@:>@])],
89 + [with_gssapi=check])
91 +AH_TEMPLATE([GSSAPI_OPTION],
92 +[Define if you want GSSAPI authentication. Specifing a value will set the search path.])
94 +AS_IF([test "x$with_gssapi" != xno],
95 + [AC_SEARCH_LIBS([gss_import_name], gss gssapi_krb5 ,
96 + [AC_CHECK_HEADERS(gssapi/gssapi_generic.h gssapi/gssapi.h) ]
97 + [ AC_DEFINE([GSSAPI_OPTION], [1]) ]
99 + [if test "x$with_gssapi" = xcheck; then
101 + [--with-gssapi was given, but test for function failed])
106 +if test x"$enable_gssapi" != x"no"; then
107 + AC_DEFINE(GSSAPI_OPTION, 1)
110 AC_CACHE_CHECK([whether chown() modifies symlinks],rsync_cv_chown_modifies_symlink,[
111 AC_RUN_IFELSE([AC_LANG_SOURCE([[
113 diff --git a/gss-auth.c b/gss-auth.c
119 + * GSSAPI authentication.
121 + * Copyright (C) 1998-2001 Andrew Tridgell <tridge@samba.org>
122 + * Copyright (C) 2001-2002 Martin Pool <mbp@samba.org>
123 + * Copyright (C) 2002-2008 Wayne Davison
125 + * This program is free software; you can redistribute it and/or modify
126 + * it under the terms of the GNU General Public License as published by
127 + * the Free Software Foundation; either version 3 of the License, or
128 + * (at your option) any later version.
130 + * This program is distributed in the hope that it will be useful,
131 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
132 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
133 + * GNU General Public License for more details.
135 + * You should have received a copy of the GNU General Public License along
136 + * with this program; if not, visit the http://fsf.org website.
141 +#ifdef GSSAPI_OPTION
143 +#define RSYNC_GSS_SERVICE "host"
145 +struct init_context_data {
146 + gss_cred_id_t initiator_cred_handle;
147 + gss_ctx_id_t *context_handle;
148 + gss_name_t target_name;
150 + OM_uint32 req_flags;
151 + OM_uint32 time_req;
152 + gss_channel_bindings_t input_chan_bindings;
153 + gss_OID *actual_mech_type;
154 + OM_uint32 *ret_flags;
155 + OM_uint32 *time_rec;
158 +struct accept_context_data {
159 + gss_ctx_id_t *context_handle;
160 + gss_cred_id_t acceptor_cred_handle;
161 + gss_channel_bindings_t input_chan_bindings;
162 + gss_name_t *src_name;
163 + gss_OID *mech_type;
164 + OM_uint32 *ret_flags;
165 + OM_uint32 *time_rec;
166 + gss_cred_id_t *delegated_cred_handle;
169 +int auth_gss_client(int fd, const char *host)
171 + gss_ctx_id_t ctxt = GSS_C_NO_CONTEXT;
172 + gss_name_t target_name = GSS_C_NO_NAME;
173 + struct init_context_data cb_data;
176 + OM_uint32 min_stat;
178 + buffer = new_array(char, (strlen(host) + 2 + strlen(RSYNC_GSS_SERVICE)));
180 + sprintf(buffer, "%s@%s", RSYNC_GSS_SERVICE, host);
182 + import_gss_name(&target_name, buffer, GSS_C_NT_HOSTBASED_SERVICE);
185 + cb_data.initiator_cred_handle = GSS_C_NO_CREDENTIAL;
186 + cb_data.context_handle = &ctxt;
187 + cb_data.target_name = target_name;
188 + cb_data.mech_type = GSS_C_NO_OID;
189 + cb_data.req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
190 + cb_data.time_req = 0;
191 + cb_data.input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
192 + cb_data.actual_mech_type = NULL;
193 + cb_data.ret_flags = NULL;
194 + cb_data.time_rec = NULL;
196 + status = do_gss_dialog(fd, fd, 0, &cb_init_sec_context, (void *)&cb_data);
197 + if (ctxt != GSS_C_NO_CONTEXT)
198 + gss_delete_sec_context(&min_stat, &ctxt, GSS_C_NO_BUFFER);
199 + free_gss_name(&target_name);
205 + * The call back function for a gss_init_sec_context dialog
207 +OM_uint32 cb_init_sec_context(OM_uint32 *min_statp, gss_buffer_t in_token, gss_buffer_t out_token, void *cb_data)
209 + struct init_context_data *context_data;
211 + context_data = (struct init_context_data *) cb_data;
212 + return gss_init_sec_context(min_statp, context_data->initiator_cred_handle, context_data->context_handle, context_data->target_name, context_data->mech_type, context_data->req_flags, context_data->time_req, context_data->input_chan_bindings, in_token, context_data->actual_mech_type, out_token, context_data->ret_flags, context_data->time_rec);
215 +/* Possibly negotiate authentication with the client. Use "leader" to
216 + * start off the auth if necessary.
218 + * Return NULL if authentication failed. Return "" if anonymous access.
219 + * Otherwise return username.
221 +char *auth_gss_server(int fd_in, int fd_out, int module, const char *host, const char *addr, const char *leader)
223 + struct accept_context_data cb_data;
224 + gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;
225 + gss_ctx_id_t context = GSS_C_NO_CONTEXT;
226 + OM_uint32 ret_flags;
227 + char *users = lp_auth_users(module);
228 + OM_uint32 maj_stat, min_stat;
229 + gss_name_t server_name = GSS_C_NO_NAME;
230 + gss_name_t client_name = GSS_C_NO_NAME;
231 + gss_OID doid = GSS_C_NO_OID;
234 + /* if no auth list then allow anyone in! */
235 + if (!users || !*users)
238 + import_gss_name(&server_name, "host", GSS_C_NT_HOSTBASED_SERVICE);
240 + maj_stat = gss_acquire_cred(&min_stat, server_name, GSS_C_INDEFINITE, GSS_C_NULL_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL);
241 + if (maj_stat != GSS_S_COMPLETE) {
242 + error_gss(maj_stat, min_stat, "error acquiring credentials on module %s from %s (%s)", lp_name(module), host, addr);
246 + io_printf(fd_out, "%s\n", leader);
248 + cb_data.context_handle = &context;
249 + cb_data.acceptor_cred_handle = server_creds;
250 + cb_data.input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
251 + cb_data.src_name = &client_name;
252 + cb_data.mech_type = &doid;
253 + cb_data.ret_flags = &ret_flags;
254 + cb_data.time_rec = NULL;
255 + cb_data.delegated_cred_handle = NULL;
257 + if (do_gss_dialog(fd_in, fd_out, -1, &cb_accept_sec_context, (void *)&cb_data) < 0)
260 + user = get_cn(client_name, doid);
262 + free_gss_name(&server_name);
263 + free_gss_name(&client_name);
269 + * The call back function for a gss_accept_sec_context dialog
271 +OM_uint32 cb_accept_sec_context(OM_uint32 *min_statp, gss_buffer_t in_token, gss_buffer_t out_token, void *cb_data)
273 + struct accept_context_data *context_data;
275 + context_data = (struct accept_context_data *) cb_data;
276 + return gss_accept_sec_context(min_statp, context_data->context_handle, context_data->acceptor_cred_handle, in_token, context_data->input_chan_bindings, context_data->src_name, context_data->mech_type, out_token, context_data->ret_flags, context_data->time_rec, context_data->delegated_cred_handle);
279 +void free_gss_buffer(gss_buffer_t gss_buffer)
281 + OM_uint32 maj_stat, min_stat;
283 + if (gss_buffer->length > 0) {
284 + maj_stat = gss_release_buffer(&min_stat, gss_buffer);
285 + if (maj_stat != GSS_S_COMPLETE) {
286 + error_gss(maj_stat, min_stat, "can't release a buffer");
291 +void free_gss_name(gss_name_t *gss_buffer)
293 + OM_uint32 maj_stat, min_stat;
295 + if (*gss_buffer != GSS_C_NO_NAME) {
296 + maj_stat = gss_release_name(&min_stat, gss_buffer);
297 + if (maj_stat != GSS_S_COMPLETE) {
298 + error_gss(maj_stat, min_stat, "can't release a name");
303 +void import_gss_name(gss_name_t *gss_name, const char *name, gss_OID type)
305 + gss_buffer_desc gssname;
306 + OM_uint32 maj_stat, min_stat;
308 + gssname.value = strdup(name);
309 + gssname.length = strlen(name) +1 ;
311 + maj_stat = gss_import_name(&min_stat, &gssname, type, gss_name);
313 + if (maj_stat != GSS_S_COMPLETE)
314 + error_gss(maj_stat, min_stat, "can't resolve %s", name);
316 + free_gss_buffer(&gssname);
319 +char *export_name(const gss_name_t input_name)
321 + OM_uint32 maj_stat, min_stat;
322 + gss_buffer_desc exported_name;
328 + maj_stat = gss_display_name(&min_stat, input_name, &exported_name, &name_oid);
329 + if (maj_stat != GSS_S_COMPLETE) {
330 + error_gss(maj_stat, min_stat, "can't get display name");
334 + if (exported_name.length > 0)
335 + exported = strdup(exported_name.value);
337 + free_gss_buffer(&exported_name);
342 +void error_gss(OM_uint32 major, OM_uint32 minor, const char *format, ...)
344 + OM_uint32 min_stat;
345 + gss_buffer_desc gss_msg = GSS_C_EMPTY_BUFFER;
348 + char message[BIGPATHBUFLEN];
350 + va_start(ap, format);
351 + vsnprintf(message, sizeof message, format, ap);
355 + if (major != GSS_S_FAILURE) /* Don't print unspecified failure, the message is useless */
357 + gss_display_status(&min_stat, major, GSS_C_GSS_CODE, GSS_C_NULL_OID, &msg_ctx, &gss_msg);
358 + rprintf(FERROR, "GSS-API error: %s: %s\n", message, (char *) gss_msg.value);
359 + free_gss_buffer(&gss_msg);
360 + } while (msg_ctx != 0);
364 + gss_display_status(&min_stat, minor, GSS_C_MECH_CODE, GSS_C_NULL_OID, &msg_ctx, &gss_msg);
365 + rprintf(FERROR, "GSS-API error: %s: %s\n",message, (char *) gss_msg.value);
366 + free_gss_buffer(&gss_msg);
367 + } while (msg_ctx != 0);
372 + * This function manage a gss dialog
373 + * gss tokens are eaten by a call-back function and then send by this function.
374 + * Argument to this function can be passed throught the cb_data argument
375 + * When told to act as a server, it just begin to wait for a first token before beginning operation
378 +int do_gss_dialog(int fd_in, int fd_out, int isServer, OM_uint32 (*eat_token)(OM_uint32 *,gss_buffer_t, gss_buffer_t, void *), void *cb_data)
380 + OM_uint32 maj_stat, min_stat;
381 + gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER;
382 + gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER;
385 + recv_gss_token(fd_in, &in_token);
388 + maj_stat = (*eat_token)(&min_stat, &in_token, &out_token, cb_data);
389 + free_gss_buffer(&in_token);
390 + if (maj_stat != GSS_S_COMPLETE
391 + && maj_stat != GSS_S_CONTINUE_NEEDED) {
392 + error_gss(maj_stat, min_stat, "error during dialog");
396 + if (out_token.length != 0) {
397 + send_gss_token(fd_out, &out_token);
399 + free_gss_buffer(&out_token);
401 + if (maj_stat == GSS_S_CONTINUE_NEEDED) {
402 + recv_gss_token(fd_in, &in_token);
404 + } while (maj_stat == GSS_S_CONTINUE_NEEDED);
409 +char *get_cn(const gss_name_t input_name, const gss_OID mech_type)
411 + OM_uint32 maj_stat, min_stat;
412 + gss_name_t output_name;
413 + gss_buffer_desc exported_name;
417 + maj_stat = gss_canonicalize_name(&min_stat, input_name, mech_type, &output_name);
418 + if (maj_stat != GSS_S_COMPLETE) {
419 + error_gss(maj_stat, min_stat, "canonizing name");
423 + maj_stat = gss_export_name(&min_stat, output_name, &exported_name);
424 + if (maj_stat != GSS_S_COMPLETE) {
425 + error_gss(maj_stat, min_stat, "canonizing name");
428 + if (exported_name.length > 0)
429 + cn = strdup(exported_name.value);
431 + free_gss_name(&output_name);
432 + free_gss_buffer(&exported_name);
437 +void send_gss_token(int fd, gss_buffer_t token)
439 + write_int(fd, token->length);
440 + write_buf(fd, token->value, token->length);
443 +void recv_gss_token(int fd, gss_buffer_t token)
445 + token->length = read_int(fd);
446 + if (token->length > 0) {
447 + token->value = new_array(char, token->length);
448 + read_buf(fd, token->value, token->length);
451 +#endif /* GSSAPI_OPTION */
452 diff --git a/loadparm.c b/loadparm.c
455 @@ -191,6 +191,7 @@ typedef struct {
457 BOOL transfer_logging;
463 @@ -308,6 +309,7 @@ static const all_vars Defaults = {
464 /* strict_modes; */ True,
465 /* transfer_logging; */ False,
466 /* use_chroot; */ True,
467 + /* use_gssapi; */ False,
468 /* write_only; */ False,
471 @@ -451,6 +453,7 @@ static struct parm_struct parm_table[] =
472 {"transfer logging", P_BOOL, P_LOCAL, &Vars.l.transfer_logging, NULL,0},
473 {"uid", P_STRING, P_LOCAL, &Vars.l.uid, NULL,0},
474 {"use chroot", P_BOOL, P_LOCAL, &Vars.l.use_chroot, NULL,0},
475 + {"use gssapi", P_BOOL, P_LOCAL, &Vars.l.use_gssapi, NULL,0},
476 {"write only", P_BOOL, P_LOCAL, &Vars.l.write_only, NULL,0},
477 {NULL, P_BOOL, P_NONE, NULL, NULL,0}
479 @@ -592,6 +595,7 @@ FN_LOCAL_BOOL(lp_reverse_lookup, reverse_lookup)
480 FN_LOCAL_BOOL(lp_strict_modes, strict_modes)
481 FN_LOCAL_BOOL(lp_transfer_logging, transfer_logging)
482 FN_LOCAL_BOOL(lp_use_chroot, use_chroot)
483 +FN_LOCAL_BOOL(lp_use_gssapi, use_gssapi)
484 FN_LOCAL_BOOL(lp_write_only, write_only)
486 /* Assign a copy of v to *s. Handles NULL strings. We don't worry
487 diff --git a/main.c b/main.c
490 @@ -1522,7 +1522,7 @@ static int start_client(int argc, char *argv[])
491 * remote shell command, we need to do the RSYNCD protocol first */
492 if (daemon_over_rsh) {
494 - tmpret = start_inband_exchange(f_in, f_out, shell_user, remote_argc, remote_argv);
495 + tmpret = start_inband_exchange(f_in, f_out, shell_user, shell_machine, remote_argc, remote_argv);
499 diff --git a/rsync.h b/rsync.h
502 @@ -498,6 +498,15 @@ enum delret {
506 +#ifdef GSSAPI_OPTION
507 +#ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H
508 +#include <gssapi/gssapi_generic.h>
510 +#ifdef HAVE_GSSAPI_GSSAPI_H
511 +#include <gssapi/gssapi.h>
517 #include "lib/pool_alloc.h"