From 9664ad00727ca11b13fe7feff42fb44cbc1133a5 Mon Sep 17 00:00:00 2001 From: jbjohnso Date: Sun, 15 Mar 2009 20:23:48 +0000 Subject: [PATCH] -Have xCATd provide what may likely be FQDN as a value in the request -Implement 'getcredentials' for a krb5 keytab, requires documentation -Have getcredentials.awk fundamentally capable of requesting multiple credentials in a single request (theoretical scaling) git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@2908 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd --- xCAT-server/lib/xcat/plugins/credentials.pm | 24 +++++++++++++++++++++ xCAT-server/sbin/xcatd | 6 +++++- xCAT/postscripts/getcredentials.awk | 3 ++- 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/xCAT-server/lib/xcat/plugins/credentials.pm b/xCAT-server/lib/xcat/plugins/credentials.pm index 207525fdd..e0dd51e03 100644 --- a/xCAT-server/lib/xcat/plugins/credentials.pm +++ b/xCAT-server/lib/xcat/plugins/credentials.pm @@ -150,6 +150,30 @@ sub process_request } $tfilename = "/etc/xcat/cfgloc"; + } elsif (/krb5_keytab/) { #TODO: MUST RELAY TO MASTER + my $princsuffix=$request->{'_xcat_clientfqdn'}->[0]; + $ENV{KRB5CCNAME}="/tmp/xcat/krb5cc_xcat_$$"; + system('kinit -S kadmin/admin -k -t /etc/xcat/krb5_pass xcat/admin'); + system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'delprinc -force host/$princsuffix'"); + system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'delprinc -force nfs/$princsuffix'"); + system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'addprinc -randkey host/$princsuffix'"); + system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'addprinc -randkey nfs/$princsuffix'"); + unlink "/tmp/xcat/keytab.$$"; + system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'ktadd -k /tmp/xcat/keytab.$$ nfs/$princsuffix'"); + system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'ktadd -k /tmp/xcat/keytab.$$ host/$princsuffix'"); + system("kdestroy -c /tmp/xcat/krb5cc_xcat_$$"); + unlink("/tmp/xcat/krb5cc_xcat_$$"); + my $keytab; + open($keytab, "/tmp/xcat/keytab.$$"); + my $tabdata="\n"; + my $buf; + require MIME::Base64; + while (read($keytab,$buf,1140)) { + $tabdata.=MIME::Base64::encode_base64($buf); + } + push @{$rsp->{'data'}},{content=>[$tabdata],desc=>[$_]}; + unlink "/tmp/xcat/keytab.$$"; + next; } else { next; } diff --git a/xCAT-server/sbin/xcatd b/xCAT-server/sbin/xcatd index 93899a229..77ae7cb43 100755 --- a/xCAT-server/sbin/xcatd +++ b/xCAT-server/sbin/xcatd @@ -562,6 +562,7 @@ until ($quit) { } $clientselect->add($connection); my $peerhost=undef; + my $peerfqdn=undef; my $peer=$connection->peer_certificate("owner"); if ($peer) { $peer =~ m/CN=([^\/]*)/; @@ -584,13 +585,14 @@ if ($inet6support) { unless ($peerhost) { $peerhost = gethostbyaddr($connection->peeraddr,AF_INET); } + $peerfqdn=$peerhost; $peerhost =~ s/\.$domain\.*$//; $peerhost =~ s/-eth\d*$//; $peerhost =~ s/-myri\d*$//; $peerhost =~ s/-ib\d*$//; #printf('info'.": xcatd: connection from ".($peername ? $peername . "@" . $peerhost : $peerhost)."\n"); $$progname="xCATd SSL: Instance for ".($peername ? $peername ."@".$peerhost : $peerhost); - service_connection($connection,$peername,$peerhost); + service_connection($connection,$peername,$peerhost,$peerfqdn); xexit(0); } $sslclients++; #THROTTLE @@ -1166,6 +1168,7 @@ sub service_connection { my $sock = shift; my $peername = shift; my $peerhost = shift; + my $peerfqdn = shift; my $peerport = $sock->peerport; my %tables=(); #some paranoid measures could reduce a third party abusing stage3 image to attempting to get USER/PASS for BMCs: @@ -1205,6 +1208,7 @@ sub service_connection { if (validate($peername,$peerhost,$req)) { $req->{'_xcat_authname'} = [$peername]; $req->{'_xcat_clienthost'} = [$peerhost]; + $req->{'_xcat_clientfqdn'} = [$peerfqdn]; $req->{'_xcat_clientport'}= [$peerport]; $$progname="xCATd SSL: ".$req->{command}->[0]." for ".($peername ? $peername ."@".$peerhost : $peerhost); if ($req->{command}->[0] eq "authcheck") { #provide a method for UI to verify a user without actually requesting action diff --git a/xCAT/postscripts/getcredentials.awk b/xCAT/postscripts/getcredentials.awk index 94d868a88..9343897a6 100755 --- a/xCAT/postscripts/getcredentials.awk +++ b/xCAT/postscripts/getcredentials.awk @@ -7,7 +7,8 @@ BEGIN { print "" |& server print " getcredentials" |& server print " 300" |& server - print " "ARGV[1]"" |& server + for (i=1; i"ARGV[i]"" |& server print "" |& server while (server |& getline) {