-Have xCATd provide what may likely be FQDN as a value in the request
-Implement 'getcredentials' for a krb5 keytab, requires documentation -Have getcredentials.awk fundamentally capable of requesting multiple credentials in a single request (theoretical scaling) git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@2908 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd
This commit is contained in:
parent
a084808f7e
commit
9664ad0072
@ -150,6 +150,30 @@ sub process_request
|
||||
}
|
||||
$tfilename = "/etc/xcat/cfgloc";
|
||||
|
||||
} elsif (/krb5_keytab/) { #TODO: MUST RELAY TO MASTER
|
||||
my $princsuffix=$request->{'_xcat_clientfqdn'}->[0];
|
||||
$ENV{KRB5CCNAME}="/tmp/xcat/krb5cc_xcat_$$";
|
||||
system('kinit -S kadmin/admin -k -t /etc/xcat/krb5_pass xcat/admin');
|
||||
system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'delprinc -force host/$princsuffix'");
|
||||
system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'delprinc -force nfs/$princsuffix'");
|
||||
system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'addprinc -randkey host/$princsuffix'");
|
||||
system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'addprinc -randkey nfs/$princsuffix'");
|
||||
unlink "/tmp/xcat/keytab.$$";
|
||||
system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'ktadd -k /tmp/xcat/keytab.$$ nfs/$princsuffix'");
|
||||
system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'ktadd -k /tmp/xcat/keytab.$$ host/$princsuffix'");
|
||||
system("kdestroy -c /tmp/xcat/krb5cc_xcat_$$");
|
||||
unlink("/tmp/xcat/krb5cc_xcat_$$");
|
||||
my $keytab;
|
||||
open($keytab, "/tmp/xcat/keytab.$$");
|
||||
my $tabdata="\n";
|
||||
my $buf;
|
||||
require MIME::Base64;
|
||||
while (read($keytab,$buf,1140)) {
|
||||
$tabdata.=MIME::Base64::encode_base64($buf);
|
||||
}
|
||||
push @{$rsp->{'data'}},{content=>[$tabdata],desc=>[$_]};
|
||||
unlink "/tmp/xcat/keytab.$$";
|
||||
next;
|
||||
} else {
|
||||
next;
|
||||
}
|
||||
|
@ -562,6 +562,7 @@ until ($quit) {
|
||||
}
|
||||
$clientselect->add($connection);
|
||||
my $peerhost=undef;
|
||||
my $peerfqdn=undef;
|
||||
my $peer=$connection->peer_certificate("owner");
|
||||
if ($peer) {
|
||||
$peer =~ m/CN=([^\/]*)/;
|
||||
@ -584,13 +585,14 @@ if ($inet6support) {
|
||||
|
||||
|
||||
unless ($peerhost) { $peerhost = gethostbyaddr($connection->peeraddr,AF_INET); }
|
||||
$peerfqdn=$peerhost;
|
||||
$peerhost =~ s/\.$domain\.*$//;
|
||||
$peerhost =~ s/-eth\d*$//;
|
||||
$peerhost =~ s/-myri\d*$//;
|
||||
$peerhost =~ s/-ib\d*$//;
|
||||
#printf('info'.": xcatd: connection from ".($peername ? $peername . "@" . $peerhost : $peerhost)."\n");
|
||||
$$progname="xCATd SSL: Instance for ".($peername ? $peername ."@".$peerhost : $peerhost);
|
||||
service_connection($connection,$peername,$peerhost);
|
||||
service_connection($connection,$peername,$peerhost,$peerfqdn);
|
||||
xexit(0);
|
||||
}
|
||||
$sslclients++; #THROTTLE
|
||||
@ -1166,6 +1168,7 @@ sub service_connection {
|
||||
my $sock = shift;
|
||||
my $peername = shift;
|
||||
my $peerhost = shift;
|
||||
my $peerfqdn = shift;
|
||||
my $peerport = $sock->peerport;
|
||||
my %tables=();
|
||||
#some paranoid measures could reduce a third party abusing stage3 image to attempting to get USER/PASS for BMCs:
|
||||
@ -1205,6 +1208,7 @@ sub service_connection {
|
||||
if (validate($peername,$peerhost,$req)) {
|
||||
$req->{'_xcat_authname'} = [$peername];
|
||||
$req->{'_xcat_clienthost'} = [$peerhost];
|
||||
$req->{'_xcat_clientfqdn'} = [$peerfqdn];
|
||||
$req->{'_xcat_clientport'}= [$peerport];
|
||||
$$progname="xCATd SSL: ".$req->{command}->[0]." for ".($peername ? $peername ."@".$peerhost : $peerhost);
|
||||
if ($req->{command}->[0] eq "authcheck") { #provide a method for UI to verify a user without actually requesting action
|
||||
|
@ -7,7 +7,8 @@ BEGIN {
|
||||
print "<xcatrequest>" |& server
|
||||
print " <command>getcredentials</command>" |& server
|
||||
print " <callback_port>300</callback_port>" |& server
|
||||
print " <arg>"ARGV[1]"</arg>" |& server
|
||||
for (i=1; i<ARGC; i++)
|
||||
print " <arg>"ARGV[i]"</arg>" |& server
|
||||
print "</xcatrequest>" |& server
|
||||
|
||||
while (server |& getline) {
|
||||
|
Loading…
Reference in New Issue
Block a user