summaryrefslogtreecommitdiffstats
path: root/lib/librpcsec_gss
Commit message (Collapse)AuthorAgeFilesLines
* Fix warnings found by -Wmising-variable-declarations.ed2012-10-191-2/+2
| | | | | | | | | | | This self-written compiler warning, which is hopefully going to be committed into LLVM sources soon, warns about potentially missing `static' keywords, similar to -Wmissing-prototypes. - bin/pax: Move external declaration of chdname and s_mask into extern.h. - bin/setfacl: Move setfacl.c-specific stuff out of setfacl.h. - sbin/mount_fusefs: Remove char *progname; use getprogname(). - others: add `static' where possible.
* mdoc: add missing -width argument to Bl -tag.joel2012-06-0615-16/+16
|
* Remove trailing whitespace per mdoc lint warningeadler2012-03-291-1/+1
| | | | | | | Disussed with: gavin No objection from: doc Approved by: joel MFC after: 3 days
* Fix typos, spelling, formatting and mdoc mistakes found by Nobuyuki whilejoel2010-08-161-1/+1
| | | | | | translating these manual pages. Minor corrections by me. Submitted by: Nobuyuki Koganemaru <n-kogane@syd.odn.ne.jp>
* mdoc: remove literal tabs where they don't belonguqs2010-06-081-1/+1
|
* mdoc: consistently spell our email addresses <foo@FreeBSD.org>uqs2010-05-1917-17/+17
| | | | Reviewed by: ru
* Fix several typos in macros or macro misusage.uqs2010-03-121-0/+1
| | | | | | Found by: make manlint Reviewed by: ru Approved by: philip (mentor)
* Correct a bunch of typos.schweikh2010-01-276-9/+9
|
* Bump .Dd, forgotten in r203025gavin2010-01-2617-17/+17
| | | | | Approved by: ed (mentor, implicit) MFC after: 1 week
* Correct the HISTORY section of these man pages to show when the function,gavin2010-01-2617-17/+17
| | | | | | | not the "manual page example" was introduced. Approved by: ed (mentor, implicit) MFC after: 1 week
* Build lib/ with WARNS=6 by default.ed2010-01-021-1/+0
| | | | | | | | | Similar to libexec/, do the same with lib/. Make WARNS=6 the norm and lower it when needed. I'm setting WARNS?=0 for secure/. It seems secure/ includes the Makefile.inc provided by lib/. I'm not going to touch that directory. Most of the code there is contributed anyway.
* (S)LIST_HEAD_INITIALIZER takes a (S)LIST_HEAD as an argument.antoine2009-12-282-4/+4
| | | | | | | | | Fix some wrong usages. Note: this does not affect generated binaries as this argument is not used. PR: 137213 Submitted by: Eygene Ryabinkin (initial version) MFC after: 1 month
* Implement support for RPCSEC_GSS authentication to both the NFS clientdfr2008-11-031-12/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | and server. This replaces the RPC implementation of the NFS client and server with the newer RPC implementation originally developed (actually ported from the userland sunrpc code) to support the NFS Lock Manager. I have tested this code extensively and I believe it is stable and that performance is at least equal to the legacy RPC implementation. The NFS code currently contains support for both the new RPC implementation and the older legacy implementation inherited from the original NFS codebase. The default is to use the new implementation - add the NFS_LEGACYRPC option to fall back to the old code. When I merge this support back to RELENG_7, I will probably change this so that users have to 'opt in' to get the new code. To use RPCSEC_GSS on either client or server, you must build a kernel which includes the KGSSAPI option and the crypto device. On the userland side, you must build at least a new libc, mountd, mount_nfs and gssd. You must install new versions of /etc/rc.d/gssd and /etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf. As long as gssd is running, you should be able to mount an NFS filesystem from a server that requires RPCSEC_GSS authentication. The mount itself can happen without any kerberos credentials but all access to the filesystem will be denied unless the accessing user has a valid ticket file in the standard place (/tmp/krb5cc_<uid>). There is currently no support for situations where the ticket file is in a different place, such as when the user logged in via SSH and has delegated credentials from that login. This restriction is also present in Solaris and Linux. In theory, we could improve this in future, possibly using Brooks Davis' implementation of variant symlinks. Supporting RPCSEC_GSS on a server is nearly as simple. You must create service creds for the server in the form 'nfs/<fqdn>@<REALM>' and install them in /etc/krb5.keytab. The standard heimdal utility ktutil makes this fairly easy. After the service creds have been created, you can add a '-sec=krb5' option to /etc/exports and restart both mountd and nfsd. The only other difference an administrator should notice is that nfsd doesn't fork to create service threads any more. In normal operation, there will be two nfsd processes, one in userland waiting for TCP connections and one in the kernel handling requests. The latter process will create as many kthreads as required - these should be visible via 'top -H'. The code has some support for varying the number of service threads according to load but initially at least, nfsd uses a fixed number of threads according to the value supplied to its '-n' option. Sponsored by: Isilon Systems MFC after: 1 month
* Fix an off-by-one error in the replay detection logic.dfr2008-09-041-1/+1
|
* Fix ia64 build.dfr2008-08-061-3/+3
|
* Fix 64bt build.dfr2008-08-061-1/+3
|
* Add an implementation of the RPCSEC_GSS authentication protocol for RPC. Thisdfr2008-08-0625-0/+4277
is based on an old implementation from the University of Michigan with lots of changes and fixes by me and the addition of a Solaris-compatible API. Sponsored by: Isilon Systems Reviewed by: alfred
OpenPOWER on IntegriCloud