[Cvs-cvs] ccvs ChangeLog NEWS doc/ChangeLog doc/cvs.texin...

cvs-cvs
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Cvs-cvs] ccvs ChangeLog NEWS doc/ChangeLog doc/cvs.texin...

From:	Mark D. Baushke
Subject:	[Cvs-cvs] ccvs ChangeLog NEWS doc/ChangeLog doc/cvs.texin...
Date:	Wed, 13 Jun 2007 01:23:39 +0000
CVSROOT:        /cvsroot/cvs
Module name:    ccvs
Changes by:     Mark D. Baushke <mdb>   07/06/13 01:23:38

Modified files:
        .              : ChangeLog NEWS 
        doc            : ChangeLog cvs.texinfo cvsclient.texi 
        src            : ChangeLog gssapi-client.c server.c 

Log message:
        [bug #17083]
        * NEWS: Document :gserver:address@hidden:/path support.
        
        * doc/cvs.texinfo (GSSAPI authenticated): Allow
        :gserver:address@hidden:/path in addition to the :gserver:host:/path
        method.
        
        * doc/cvsclient.texi (Connection and Authentication): Describe the new
        GSSAPI-U autentication request.
        
        * src/gssapi-client.c (connect_to_gserver): send GSSAPI-U(ser)
        auth string and user name if gserver:address@hidden is used.
        
        * src/server.c (pserver_authenticate_connection): handle
        GSSAPI-U(ser) auth string, looking in that account's .k5login
        for allowed principals.
        (gserver_authenticate_connection): Add a username argument.
        (patch adapted from Marc W. Mengel <address@hidden>)

CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/ccvs/ChangeLog?cvsroot=cvs&r1=1.1350&r2=1.1351
http://cvs.savannah.gnu.org/viewcvs/ccvs/NEWS?cvsroot=cvs&r1=1.369&r2=1.370
http://cvs.savannah.gnu.org/viewcvs/ccvs/doc/ChangeLog?cvsroot=cvs&r1=1.979&r2=1.980
http://cvs.savannah.gnu.org/viewcvs/ccvs/doc/cvs.texinfo?cvsroot=cvs&r1=1.699&r2=1.700
http://cvs.savannah.gnu.org/viewcvs/ccvs/doc/cvsclient.texi?cvsroot=cvs&r1=1.149&r2=1.150
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/ChangeLog?cvsroot=cvs&r1=1.3512&r2=1.3513
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/gssapi-client.c?cvsroot=cvs&r1=1.9&r2=1.10
http://cvs.savannah.gnu.org/viewcvs/ccvs/src/server.c?cvsroot=cvs&r1=1.474&r2=1.475

Patches:
Index: ChangeLog
===================================================================
RCS file: /cvsroot/cvs/ccvs/ChangeLog,v
retrieving revision 1.1350
retrieving revision 1.1351
diff -u -b -r1.1350 -r1.1351
--- ChangeLog   11 Jun 2007 15:46:47 -0000      1.1350
+++ ChangeLog   13 Jun 2007 01:23:37 -0000      1.1351
@@ -1,3 +1,8 @@
+2007-06-12  Mark D. Baushke  <address@hidden>
+
+       [bug #17083]
+       * NEWS: Document :gserver:address@hidden:/path support.
+
 2007-05-11  Derek Price  <address@hidden>
 
        * NEWS: Note improved error messages for `cvs history'.

Index: NEWS
===================================================================
RCS file: /cvsroot/cvs/ccvs/NEWS,v
retrieving revision 1.369
retrieving revision 1.370
diff -u -b -r1.369 -r1.370
--- NEWS        11 Jun 2007 15:46:47 -0000      1.369
+++ NEWS        13 Jun 2007 01:23:37 -0000      1.370
@@ -3,6 +3,9 @@
 
 NEW FEATURES
 
+* :gserver:address@hidden:/path is now supported in addition to
+  :gserver:host:/path in CVSROOT. (CVS bug #17083.)
+
 * Rare error messages should me more informative when multiple history files
   are being parsed (as a result of the HistorySearchPath config option and the
   `cvs history' command).

Index: doc/ChangeLog
===================================================================
RCS file: /cvsroot/cvs/ccvs/doc/ChangeLog,v
retrieving revision 1.979
retrieving revision 1.980
diff -u -b -r1.979 -r1.980
--- doc/ChangeLog       9 May 2007 23:44:25 -0000       1.979
+++ doc/ChangeLog       13 Jun 2007 01:23:37 -0000      1.980
@@ -1,3 +1,13 @@
+2007-06-12  Mark D. Baushke  <address@hidden>
+
+       [bug #17083]
+       * cvs.texinfo (GSSAPI authenticated): Allow
+       :gserver:address@hidden:/path in addition to the :gserver:host:/path
+       method.
+
+       * cvsclient.texi (Connection and Authentication): Describe the new
+       GSSAPI-U autentication request.
+
 2007-05-09  Derek Price  <address@hidden>
        and Sylvain Beucler  <address@hidden>
 

Index: doc/cvs.texinfo
===================================================================
RCS file: /cvsroot/cvs/ccvs/doc/cvs.texinfo,v
retrieving revision 1.699
retrieving revision 1.700
diff -u -b -r1.699 -r1.700
--- doc/cvs.texinfo     9 May 2007 23:44:25 -0000       1.699
+++ doc/cvs.texinfo     13 Jun 2007 01:23:37 -0000      1.700
@@ -3089,6 +3089,15 @@
 canonical name of the server host.  You will have to
 set this up as required by your GSSAPI mechanism.
 
+If the client has a local username @var{luser} they
+wish to use, then a @var{$CVSROOT} may be set to use
address@hidden:gserver:address@hidden@@address@hidden:/path}, and
+the client will use send a GSSAPI-U request to the CVS
+server the server will attempt to determine if the user
+is authorized to log in to the account @var{luser}
+given the Kerberos principal name of cvs/@var{hostname}
+and a local username @var{luser}.
+
 To connect using GSSAPI, use the @samp{:gserver:} method.  For
 example,
 
@@ -3096,6 +3105,12 @@
 cvs -d :gserver:faun.example.org:/usr/local/cvsroot checkout foo
 @end example
 
+or
+
address@hidden
+cvs -d :gserver:myuser@@faun.example.org:/usr/local/cvsroot checkout foo
address@hidden example
+
 @node Kerberos authenticated
 @subsection Direct connection with Kerberos
 

Index: doc/cvsclient.texi
===================================================================
RCS file: /cvsroot/cvs/ccvs/doc/cvsclient.texi,v
retrieving revision 1.149
retrieving revision 1.150
diff -u -b -r1.149 -r1.150
--- doc/cvsclient.texi  8 May 2007 12:35:53 -0000       1.149
+++ doc/cvsclient.texi  13 Jun 2007 01:23:37 -0000      1.150
@@ -249,6 +249,15 @@
 After the GSSAPI authentication is complete, the server continues with
 the responses described above (@samp{I LOVE YOU}, etc.).
 
+If the client wishes to log in to the account @var{luser}, then a
+slightly different request is sent. The procedure is to start with
address@hidden GSSAPI-U REQUEST} and the next line sent is
address@hidden GSSAPI authentication information is then exchanged
+between the client and the server. Each packet of information consists
+of a two byte big-endian length, followed by that many bytes of data.
+After the GSSAPI-U authentication is complete, the server continues
+with the responses described above (@samp{I LOVE YOU}, etc.).
+
 @item future possibilities
 There are a nearly unlimited number of ways to connect and authenticate.
 One might want to allow access based on IP address (similar to the usual

Index: src/ChangeLog
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/ChangeLog,v
retrieving revision 1.3512
retrieving revision 1.3513
diff -u -b -r1.3512 -r1.3513
--- src/ChangeLog       11 Jun 2007 15:45:58 -0000      1.3512
+++ src/ChangeLog       13 Jun 2007 01:23:38 -0000      1.3513
@@ -1,3 +1,15 @@
+2007-06-12  Mark D. Baushke  <address@hidden>
+
+       [bug #17083]
+       * gssapi-client.c (connect_to_gserver): send GSSAPI-U(ser)
+       auth string and user name if gserver:address@hidden is used.
+
+       * server.c (pserver_authenticate_connection): handle
+       GSSAPI-U(ser) auth string, looking in that account's .k5login
+       for allowed principals.
+       (gserver_authenticate_connection): Add a username argument.
+       (patch adapted from Marc W. Mengel <address@hidden>)
+
 2007-06-11  Derek Price  <address@hidden>
 
        * history.c: Output more useful error messages when multiple history

Index: src/gssapi-client.c
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/gssapi-client.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -b -r1.9 -r1.10
--- src/gssapi-client.c 4 Nov 2004 21:22:27 -0000       1.9
+++ src/gssapi-client.c 13 Jun 2007 01:23:38 -0000      1.10
@@ -85,11 +85,22 @@
     OM_uint32 stat_min, stat_maj;
     gss_name_t server_name;
 
+    if (current_parsed_root->username != NULL)
+       str = "BEGIN GSSAPI-U REQUEST\012";
+    else
     str = "BEGIN GSSAPI REQUEST\012";
 
     if (send (sock, str, strlen (str), 0) < 0)
        error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
 
+    if (current_parsed_root->username != NULL) {
+       str = current_parsed_root->username;
+       if (send (sock, str, strlen (str), 0) < 0)
+           error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
+       if (send (sock, "\012", 1, 0) < 0)
+           error (1, 0, "cannot send: %s", SOCK_STRERROR (SOCK_ERRNO));
+    }
+
     if (strlen (hostinfo->h_name) > BUFSIZE - 5)
        error (1, 0, "Internal error: hostname exceeds length of buffer");
     sprintf (buf, "address@hidden", hostinfo->h_name);

Index: src/server.c
===================================================================
RCS file: /cvsroot/cvs/ccvs/src/server.c,v
retrieving revision 1.474
retrieving revision 1.475
diff -u -b -r1.474 -r1.475
--- src/server.c        30 May 2007 23:20:44 -0000      1.474
+++ src/server.c        13 Jun 2007 01:23:38 -0000      1.475
@@ -65,7 +65,7 @@
    name.  */
 # include <krb5.h>
 
-static void gserver_authenticate_connection (void);
+static void gserver_authenticate_connection (char *);
 
 /* Whether we are already wrapping GSSAPI communication.  */
 static int cvs_gssapi_wrapping;
@@ -7337,12 +7337,24 @@
     {
 #ifdef HAVE_GSSAPI
        free (tmp);
-       gserver_authenticate_connection ();
+       gserver_authenticate_connection (NULL);
        return;
 #else
        error (1, 0, "GSSAPI authentication not supported by this server");
 #endif
     }
+    else if (strcmp (tmp, "BEGIN GSSAPI-U REQUEST") == 0)
+    {
+#ifdef HAVE_GSSAPI
+       free (tmp);
+       pserver_read_line (&username, NULL);
+       gserver_authenticate_connection (username);
+       free (username);
+       return;
+#else
+       error (1, 0, "GSSAPI-U authentication not supported by this server");
+#endif
+    }
     else
        error (1, 0, "bad auth protocol start: %s", tmp);
 
@@ -7520,7 +7532,7 @@
  *                     xgethostname() in main().
  */
 static void
-gserver_authenticate_connection (void)
+gserver_authenticate_connection (char *username)
 {
     char *hn;
     gss_buffer_desc tok_in, tok_out;
@@ -7608,12 +7620,19 @@
                              &mechid) != GSS_S_COMPLETE
            || krb5_parse_name (kc, ((gss_buffer_t) &desc)->value, &p) != 0
            || krb5_aname_to_localname (kc, p, sizeof buf, buf) != 0
-           || krb5_kuserok (kc, p, buf) != TRUE)
+           || krb5_kuserok (kc, p, (username ? username : buf)) != TRUE)
        {
            error (1, 0, "access denied");
        }
        krb5_free_principal (kc, p);
        krb5_free_context (kc);
+
+#if AUTH_SERVER_SUPPORT
+       /* Update our CVS_Username to be our kerberos principal */
+       if (CVS_Username != NULL)
+           free (CVS_Username);
+       CVS_Username = xstrdup (buf);
+#endif
     }
 
     if (tok_out.length != 0)
@@ -7628,6 +7647,9 @@
            error (1, errno, "fwrite failed");
     }
 
+    if (username)
+       switch_to_user ("GSSAPI-U", username);
+    else
     switch_to_user ("GSSAPI", buf);
 
     if (credbuf != buf)
[Prev in Thread]
Current Thread
[Next in Thread]
[Cvs-cvs] ccvs ChangeLog NEWS doc/ChangeLog doc/cvs.texin..., Mark D. Baushke <=
Prev by Date: Re: [Cvs-cvs] Checking out a branch as an 'overlay' ?
Next by Date: [Cvs-cvs] ccvs/src ChangeLog parseinfo.c sanity.sh
Previous by thread: [Cvs-cvs] Preventing users from moving, deleting labels
Next by thread: [Cvs-cvs] ccvs/src ChangeLog parseinfo.c sanity.sh
Index(es):
- Date
- Thread