-Have xCATd provide what may likely be FQDN as a value in the request

-Implement 'getcredentials' for a krb5 keytab, requires documentation
-Have getcredentials.awk fundamentally capable of requesting multiple credentials in a single request (theoretical scaling)


git-svn-id: https://svn.code.sf.net/p/xcat/code/xcat-core/trunk@2908 8638fb3e-16cb-4fca-ae20-7b5d299a9bcd
This commit is contained in:
jbjohnso 2009-03-15 20:23:48 +00:00
parent a084808f7e
commit 9664ad0072
3 changed files with 31 additions and 2 deletions

View File

@ -150,6 +150,30 @@ sub process_request
}
$tfilename = "/etc/xcat/cfgloc";
} elsif (/krb5_keytab/) { #TODO: MUST RELAY TO MASTER
my $princsuffix=$request->{'_xcat_clientfqdn'}->[0];
$ENV{KRB5CCNAME}="/tmp/xcat/krb5cc_xcat_$$";
system('kinit -S kadmin/admin -k -t /etc/xcat/krb5_pass xcat/admin');
system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'delprinc -force host/$princsuffix'");
system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'delprinc -force nfs/$princsuffix'");
system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'addprinc -randkey host/$princsuffix'");
system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'addprinc -randkey nfs/$princsuffix'");
unlink "/tmp/xcat/keytab.$$";
system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'ktadd -k /tmp/xcat/keytab.$$ nfs/$princsuffix'");
system("kadmin -p xcat/admin -c /tmp/xcat/krb5cc_xcat_$$ -q 'ktadd -k /tmp/xcat/keytab.$$ host/$princsuffix'");
system("kdestroy -c /tmp/xcat/krb5cc_xcat_$$");
unlink("/tmp/xcat/krb5cc_xcat_$$");
my $keytab;
open($keytab, "/tmp/xcat/keytab.$$");
my $tabdata="\n";
my $buf;
require MIME::Base64;
while (read($keytab,$buf,1140)) {
$tabdata.=MIME::Base64::encode_base64($buf);
}
push @{$rsp->{'data'}},{content=>[$tabdata],desc=>[$_]};
unlink "/tmp/xcat/keytab.$$";
next;
} else {
next;
}

View File

@ -562,6 +562,7 @@ until ($quit) {
}
$clientselect->add($connection);
my $peerhost=undef;
my $peerfqdn=undef;
my $peer=$connection->peer_certificate("owner");
if ($peer) {
$peer =~ m/CN=([^\/]*)/;
@ -584,13 +585,14 @@ if ($inet6support) {
unless ($peerhost) { $peerhost = gethostbyaddr($connection->peeraddr,AF_INET); }
$peerfqdn=$peerhost;
$peerhost =~ s/\.$domain\.*$//;
$peerhost =~ s/-eth\d*$//;
$peerhost =~ s/-myri\d*$//;
$peerhost =~ s/-ib\d*$//;
#printf('info'.": xcatd: connection from ".($peername ? $peername . "@" . $peerhost : $peerhost)."\n");
$$progname="xCATd SSL: Instance for ".($peername ? $peername ."@".$peerhost : $peerhost);
service_connection($connection,$peername,$peerhost);
service_connection($connection,$peername,$peerhost,$peerfqdn);
xexit(0);
}
$sslclients++; #THROTTLE
@ -1166,6 +1168,7 @@ sub service_connection {
my $sock = shift;
my $peername = shift;
my $peerhost = shift;
my $peerfqdn = shift;
my $peerport = $sock->peerport;
my %tables=();
#some paranoid measures could reduce a third party abusing stage3 image to attempting to get USER/PASS for BMCs:
@ -1205,6 +1208,7 @@ sub service_connection {
if (validate($peername,$peerhost,$req)) {
$req->{'_xcat_authname'} = [$peername];
$req->{'_xcat_clienthost'} = [$peerhost];
$req->{'_xcat_clientfqdn'} = [$peerfqdn];
$req->{'_xcat_clientport'}= [$peerport];
$$progname="xCATd SSL: ".$req->{command}->[0]." for ".($peername ? $peername ."@".$peerhost : $peerhost);
if ($req->{command}->[0] eq "authcheck") { #provide a method for UI to verify a user without actually requesting action

View File

@ -7,7 +7,8 @@ BEGIN {
print "<xcatrequest>" |& server
print " <command>getcredentials</command>" |& server
print " <callback_port>300</callback_port>" |& server
print " <arg>"ARGV[1]"</arg>" |& server
for (i=1; i<ARGC; i++)
print " <arg>"ARGV[i]"</arg>" |& server
print "</xcatrequest>" |& server
while (server |& getline) {