Bug#622146: nfs-common: compatibility between squeeze and sid broken

To: Steve Langasek <vorlon@debian.org>
Cc: 622146@bugs.debian.org
Subject: Bug#622146: nfs-common: compatibility between squeeze and sid broken
From: Sam Hartman <hartmans@debian.org>
Date: Tue, 19 Jul 2011 14:31:36 -0400
Message-id: <[🔎] tsl4o2iazqv.fsf@mit.edu>
Reply-to: Sam Hartman <hartmans@debian.org>, 622146@bugs.debian.org
In-reply-to: <[🔎] 20110719174040.GB7588@virgil.dodds.net> (Steve Langasek's message of "Tue, 19 Jul 2011 10:40:40 -0700")
References: <[🔎] 20110719174040.GB7588@virgil.dodds.net>

>>>>> "Steve" == Steve Langasek <vorlon@debian.org> writes:

    Steve> Hi Sam, I've also run into this bug, in the context of
    Steve> preparing to update nfs-utils in Ubuntu for IPv6 support.  My
    Steve> NFS server is running squeeze, and updating causes the client
    Steve> and server to fail to negotiate as described.

Your nfs server is squeeze and your client was squeeze but is now more
than squeeze?

(substitute ubuntu releases with pre-ipv6 nfs-utils as appropriate for
squeeze?)

R24603 in MIT upstream subversion.

See attached.

I'm happy to interact with SRM for the krb5 side of it.  However, the
bug as reported didn't seem to be this one because the server involved
was older than squeeze.

so I didn't actually have any users rrequesting a solution to a problem
I knew how to solve.  If you have a problem that this krb5 patch and the
mentioned nfs-utils patch solve then we definitely should propose a
backport to SRM.  I'll be happy to prepare krb5 packages.

>From 82affd78ac2c2b13bacf8e004f13f2d0dba5acea Mon Sep 17 00:00:00 2001
From: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Tue, 25 Jan 2011 00:23:48 +0000
Subject: [PATCH] ticket: 6852
 subject: Make gss_krb5_set_allowable_enctypes work for the acceptor
 target_version: 1.9.1
 tags: pullup

With the addition of enctype negotiation in 1.7, a gss-krb5 acceptor
can choose an enctype for the acceptor subkey other than the one in
the keytab.  If the resulting security context will be exported and
re-imported by another gss-krb5 implementation (such as one in the
kernel), the acceptor needs a way to restrict the set of negotiated
enctypes to those supported by the other implementation.  We had that
functionality for the initiator already in the form of
gss_krb5_set_allowable_enctypes; this change makes it work for the
acceptor as well.


git-svn-id: svn://anonsvn.mit.edu/svn/krb5/trunk@24603 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/gssapi/krb5/accept_sec_context.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 9d40f68..c3cb2f1 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -623,6 +623,15 @@ kg_accept_krb5(minor_status, context_handle,
         goto fail;
     }
 
+    /* Limit the encryption types negotiated (if requested). */
+    if (cred->req_enctypes) {
+        if ((code = krb5_set_default_tgs_enctypes(context,
+                                                  cred->req_enctypes))) {
+            major_status = GSS_S_FAILURE;
+            goto fail;
+        }
+    }
+
     if ((code = krb5_rd_req(context, &auth_context, &ap_req,
                             cred->default_identity ? NULL : cred->name->princ,
                             cred->keytab,
-- 
1.7.4.1

Reply to:

Follow-Ups:
- Bug#622146: nfs-common: compatibility between squeeze and sid broken
  - From: Steve Langasek <vorlon@debian.org>

References:
- Bug#622146: nfs-common: compatibility between squeeze and sid broken
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Bug#622146: nfs-common: compatibility between squeeze and sid broken
Next by Date: Bug#622146: nfs-common: compatibility between squeeze and sid broken
Previous by thread: Bug#622146: nfs-common: compatibility between squeeze and sid broken
Next by thread: Bug#622146: nfs-common: compatibility between squeeze and sid broken
Index(es):
- Date
- Thread