[PATCH] rpc.gssd: Don't supply the KDC with unsupported encryption types

[Steve Dickson <SteveD@redhat.com>]

Hello,

It seems when rpc.gssd initially registers with the KDC, it sends 
a long list of encryption types that are not supported:

      Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 
                        rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4 rsa-sha1-cms 
                        rsa-md5-cms des-ede3-cbc-env rc2-cbc-env rsa-env

Now the theory is mounts will hang if the KDC (like a Solaris KDC) returns an unsupported 
encryption type since the client will not know what to do with it. I'm currently
trying to test this theory with people that actually have a working Solaris KDC,
unfortunately I'm not one of those people... 

But to me, it just makes sense that rpc.gssd should only talk about encryption types
it supports. It seems like it would cuts out any and all confusion.The following 
patch does just that. 

comments?

steved.


Author: Steve Dickson <steved@redhat.com>
Date:   Tue Nov 11 11:08:13 EST 2008
	
	When rpc.gssd registers with the KDC, only talk
	about the supported encryption types during the
	initial registration so the KDC will only 
	return supported encryption types.

	Signed-off-by: Steve Dickson <steved@redhat.com>

diff --git a/utils/gssd/krb5_util.c b/utils/gssd/krb5_util.c
index 77814bc..7f131c9 100644
--- a/utils/gssd/krb5_util.c
+++ b/utils/gssd/krb5_util.c
@@ -125,6 +125,10 @@
 
 /* Global list of principals/cache file names for machine credentials */
 struct gssd_k5_kt_princ *gssd_k5_kt_princ_list = NULL;
+static krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC,
+				    ENCTYPE_DES_CBC_MD5,
+				    ENCTYPE_DES_CBC_MD4 };
+static int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
 
 /*==========================*/
 /*===  Internal routines ===*/
@@ -309,10 +313,6 @@ limit_krb5_enctypes(struct rpc_gss_sec *sec, uid_t uid)
 	u_int maj_stat, min_stat;
 	gss_cred_id_t credh;
 	gss_OID_set_desc  desired_mechs;
-	krb5_enctype enctypes[] = { ENCTYPE_DES_CBC_CRC,
-				    ENCTYPE_DES_CBC_MD5,
-				    ENCTYPE_DES_CBC_MD4 };
-	int num_enctypes = sizeof(enctypes) / sizeof(enctypes[0]);
 
 	/* We only care about getting a krb5 cred */
 	desired_mechs.count = 1;
@@ -412,6 +412,7 @@ gssd_get_single_krb5_cred(krb5_context context,
 
 	krb5_get_init_creds_opt_init(&options);
 	krb5_get_init_creds_opt_set_address_list(&options, NULL);
+	krb5_get_init_creds_opt_set_etype_list(&options, enctypes, num_enctypes);
 #ifdef TEST_SHORT_LIFETIME
 	/* set a short lifetime (for debugging only!) */
 	printerr(0, "WARNING: Using (debug) short machine cred lifetime!\n");