Changes in mech en Copyright 2025 Java d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf - Remove $FreeBSD$: one-line sh pattern http://opengrok.net:8080/history/src/etc/gss/mech#d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove $FreeBSD$: one-line sh patternRemove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ List of files: /src/etc/gss/mech Wed, 16 Aug 2023 17:55:03 +0000 Warner Losh <imp@FreeBSD.org> d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf - Remove $FreeBSD$: one-line sh pattern http://opengrok.net:8080/history/src/etc/gss/mech#d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove $FreeBSD$: one-line sh patternRemove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ List of files: /src/etc/gss/mech Wed, 16 Aug 2023 17:55:03 +0000 Warner Losh <imp@FreeBSD.org> e57c2b130f2cd40967cf20698d376cc5ada95871 - integrate from head@185615 http://opengrok.net:8080/history/src/etc/gss/mech#e57c2b130f2cd40967cf20698d376cc5ada95871 integrate from head@185615 List of files: /src/etc/gss/mech Thu, 04 Dec 2008 18:48:08 +0000 Dag-Erling Smørgrav <des@FreeBSD.org> a9148abd9da5db2f1c682fb17bed791845fc41c9 - Implement support for RPCSEC_GSS authentication to both the NFS client http://opengrok.net:8080/history/src/etc/gss/mech#a9148abd9da5db2f1c682fb17bed791845fc41c9 Implement support for RPCSEC_GSS authentication to both the NFS clientand server. This replaces the RPC implementation of the NFS client andserver with the newer RPC implementation originally developed(actually ported from the userland sunrpc code) to support the NFSLock Manager. I have tested this code extensively and I believe it isstable and that performance is at least equal to the legacy RPCimplementation.The NFS code currently contains support for both the new RPCimplementation and the older legacy implementation inherited from theoriginal NFS codebase. The default is to use the new implementation -add the NFS_LEGACYRPC option to fall back to the old code. When Imerge this support back to RELENG_7, I will probably change this sothat users have to 'opt in' to get the new code.To use RPCSEC_GSS on either client or server, you must build a kernelwhich includes the KGSSAPI option and the crypto device. On theuserland side, you must build at least a new libc, mountd, mount_nfsand gssd. You must install new versions of /etc/rc.d/gssd and/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.As long as gssd is running, you should be able to mount an NFSfilesystem from a server that requires RPCSEC_GSS authentication. Themount itself can happen without any kerberos credentials but allaccess to the filesystem will be denied unless the accessing user hasa valid ticket file in the standard place (/tmp/krb5cc_<uid>). Thereis currently no support for situations where the ticket file is in adifferent place, such as when the user logged in via SSH and hasdelegated credentials from that login. This restriction is alsopresent in Solaris and Linux. In theory, we could improve this infuture, possibly using Brooks Davis' implementation of variantsymlinks.Supporting RPCSEC_GSS on a server is nearly as simple. You must createservice creds for the server in the form 'nfs/<fqdn>@<REALM>' andinstall them in /etc/krb5.keytab. The standard heimdal utility ktutilmakes this fairly easy. After the service creds have been created, youcan add a '-sec=krb5' option to /etc/exports and restart both mountdand nfsd.The only other difference an administrator should notice is that nfsddoesn't fork to create service threads any more. In normal operation,there will be two nfsd processes, one in userland waiting for TCPconnections and one in the kernel handling requests. The latterprocess will create as many kthreads as required - these should bevisible via 'top -H'. The code has some support for varying the numberof service threads according to load but initially at least, nfsd usesa fixed number of threads according to the value supplied to its '-n'option.Sponsored by: Isilon SystemsMFC after: 1 month List of files: /src/etc/gss/mech Mon, 03 Nov 2008 10:38:00 +0000 Doug Rabson <dfr@FreeBSD.org> 33f12199250a09b573f7a518b523fdac3f120b8f - Fix conflicts after heimdal-1.1 import and add build infrastructure. Import http://opengrok.net:8080/history/src/etc/gss/mech#33f12199250a09b573f7a518b523fdac3f120b8f Fix conflicts after heimdal-1.1 import and add build infrastructure. Importall non-style changes made by heimdal to our own libgssapi. List of files: /src/etc/gss/mech Wed, 07 May 2008 13:53:12 +0000 Doug Rabson <dfr@FreeBSD.org> 9f0c02d4255b2036f652c924d3df4fa88c7c721a - Update the shlib version for libgssapi_krb5. This file needs to be updated http://opengrok.net:8080/history/src/etc/gss/mech#9f0c02d4255b2036f652c924d3df4fa88c7c721a Update the shlib version for libgssapi_krb5. This file needs to be updatedanytime that library version is bumped.XXX: I wonder if this breaks any 6.x binaries using Kerberos5 via GSSAPI. List of files: /src/etc/gss/mech Tue, 27 Nov 2007 21:47:56 +0000 John Baldwin <jhb@FreeBSD.org> c0b9f4fe659b6839541970eb5675e57f4d814969 - Add a new extensible GSS-API layer which can support GSS-API plugins, http://opengrok.net:8080/history/src/etc/gss/mech#c0b9f4fe659b6839541970eb5675e57f4d814969 Add a new extensible GSS-API layer which can support GSS-API plugins,similar the the Solaris implementation. Repackage the krb5 GSS mechanismas a plugin library for the new implementation. This also includes acomprehensive set of manpages for the GSS-API functions with text mostlytaken from the RFC.Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts) List of files: /src/etc/gss/mech Thu, 29 Dec 2005 14:40:22 +0000 Doug Rabson <dfr@FreeBSD.org> d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf - Remove $FreeBSD$: one-line sh pattern http://opengrok.net:8080/history/src/etc/gss/mech#d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf Remove $FreeBSD$: one-line sh patternRemove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/ List of files: /src/etc/gss/mech Wed, 16 Aug 2023 17:55:03 +0000 Warner Losh <imp@FreeBSD.org> e57c2b130f2cd40967cf20698d376cc5ada95871 - integrate from head@185615 http://opengrok.net:8080/history/src/etc/gss/mech#e57c2b130f2cd40967cf20698d376cc5ada95871 integrate from head@185615 List of files: /src/etc/gss/mech Thu, 04 Dec 2008 18:48:08 +0000 Dag-Erling Smørgrav <des@FreeBSD.org> a9148abd9da5db2f1c682fb17bed791845fc41c9 - Implement support for RPCSEC_GSS authentication to both the NFS client http://opengrok.net:8080/history/src/etc/gss/mech#a9148abd9da5db2f1c682fb17bed791845fc41c9 Implement support for RPCSEC_GSS authentication to both the NFS clientand server. This replaces the RPC implementation of the NFS client andserver with the newer RPC implementation originally developed(actually ported from the userland sunrpc code) to support the NFSLock Manager. I have tested this code extensively and I believe it isstable and that performance is at least equal to the legacy RPCimplementation.The NFS code currently contains support for both the new RPCimplementation and the older legacy implementation inherited from theoriginal NFS codebase. The default is to use the new implementation -add the NFS_LEGACYRPC option to fall back to the old code. When Imerge this support back to RELENG_7, I will probably change this sothat users have to 'opt in' to get the new code.To use RPCSEC_GSS on either client or server, you must build a kernelwhich includes the KGSSAPI option and the crypto device. On theuserland side, you must build at least a new libc, mountd, mount_nfsand gssd. You must install new versions of /etc/rc.d/gssd and/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.As long as gssd is running, you should be able to mount an NFSfilesystem from a server that requires RPCSEC_GSS authentication. Themount itself can happen without any kerberos credentials but allaccess to the filesystem will be denied unless the accessing user hasa valid ticket file in the standard place (/tmp/krb5cc_<uid>). Thereis currently no support for situations where the ticket file is in adifferent place, such as when the user logged in via SSH and hasdelegated credentials from that login. This restriction is alsopresent in Solaris and Linux. In theory, we could improve this infuture, possibly using Brooks Davis' implementation of variantsymlinks.Supporting RPCSEC_GSS on a server is nearly as simple. You must createservice creds for the server in the form 'nfs/<fqdn>@<REALM>' andinstall them in /etc/krb5.keytab. The standard heimdal utility ktutilmakes this fairly easy. After the service creds have been created, youcan add a '-sec=krb5' option to /etc/exports and restart both mountdand nfsd.The only other difference an administrator should notice is that nfsddoesn't fork to create service threads any more. In normal operation,there will be two nfsd processes, one in userland waiting for TCPconnections and one in the kernel handling requests. The latterprocess will create as many kthreads as required - these should bevisible via 'top -H'. The code has some support for varying the numberof service threads according to load but initially at least, nfsd usesa fixed number of threads according to the value supplied to its '-n'option.Sponsored by: Isilon SystemsMFC after: 1 month List of files: /src/etc/gss/mech Mon, 03 Nov 2008 10:38:00 +0000 Doug Rabson <dfr@FreeBSD.org> 33f12199250a09b573f7a518b523fdac3f120b8f - Fix conflicts after heimdal-1.1 import and add build infrastructure. Import http://opengrok.net:8080/history/src/etc/gss/mech#33f12199250a09b573f7a518b523fdac3f120b8f Fix conflicts after heimdal-1.1 import and add build infrastructure. Importall non-style changes made by heimdal to our own libgssapi. List of files: /src/etc/gss/mech Wed, 07 May 2008 13:53:12 +0000 Doug Rabson <dfr@FreeBSD.org> 9f0c02d4255b2036f652c924d3df4fa88c7c721a - Update the shlib version for libgssapi_krb5. This file needs to be updated http://opengrok.net:8080/history/src/etc/gss/mech#9f0c02d4255b2036f652c924d3df4fa88c7c721a Update the shlib version for libgssapi_krb5. This file needs to be updatedanytime that library version is bumped.XXX: I wonder if this breaks any 6.x binaries using Kerberos5 via GSSAPI. List of files: /src/etc/gss/mech Tue, 27 Nov 2007 21:47:56 +0000 John Baldwin <jhb@FreeBSD.org> c0b9f4fe659b6839541970eb5675e57f4d814969 - Add a new extensible GSS-API layer which can support GSS-API plugins, http://opengrok.net:8080/history/src/etc/gss/mech#c0b9f4fe659b6839541970eb5675e57f4d814969 Add a new extensible GSS-API layer which can support GSS-API plugins,similar the the Solaris implementation. Repackage the krb5 GSS mechanismas a plugin library for the new implementation. This also includes acomprehensive set of manpages for the GSS-API functions with text mostlytaken from the RFC.Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts) List of files: /src/etc/gss/mech Thu, 29 Dec 2005 14:40:22 +0000 Doug Rabson <dfr@FreeBSD.org> e57c2b130f2cd40967cf20698d376cc5ada95871 - integrate from head@185615 http://opengrok.net:8080/history/src/etc/gss/mech#e57c2b130f2cd40967cf20698d376cc5ada95871 integrate from head@185615 List of files: /src/etc/gss/mech Thu, 04 Dec 2008 18:48:08 +0000 Dag-Erling Smørgrav <des@FreeBSD.org> a9148abd9da5db2f1c682fb17bed791845fc41c9 - Implement support for RPCSEC_GSS authentication to both the NFS client http://opengrok.net:8080/history/src/etc/gss/mech#a9148abd9da5db2f1c682fb17bed791845fc41c9 Implement support for RPCSEC_GSS authentication to both the NFS clientand server. This replaces the RPC implementation of the NFS client andserver with the newer RPC implementation originally developed(actually ported from the userland sunrpc code) to support the NFSLock Manager. I have tested this code extensively and I believe it isstable and that performance is at least equal to the legacy RPCimplementation.The NFS code currently contains support for both the new RPCimplementation and the older legacy implementation inherited from theoriginal NFS codebase. The default is to use the new implementation -add the NFS_LEGACYRPC option to fall back to the old code. When Imerge this support back to RELENG_7, I will probably change this sothat users have to 'opt in' to get the new code.To use RPCSEC_GSS on either client or server, you must build a kernelwhich includes the KGSSAPI option and the crypto device. On theuserland side, you must build at least a new libc, mountd, mount_nfsand gssd. You must install new versions of /etc/rc.d/gssd and/etc/rc.d/nfsd and add 'gssd_enable=YES' to /etc/rc.conf.As long as gssd is running, you should be able to mount an NFSfilesystem from a server that requires RPCSEC_GSS authentication. Themount itself can happen without any kerberos credentials but allaccess to the filesystem will be denied unless the accessing user hasa valid ticket file in the standard place (/tmp/krb5cc_<uid>). Thereis currently no support for situations where the ticket file is in adifferent place, such as when the user logged in via SSH and hasdelegated credentials from that login. This restriction is alsopresent in Solaris and Linux. In theory, we could improve this infuture, possibly using Brooks Davis' implementation of variantsymlinks.Supporting RPCSEC_GSS on a server is nearly as simple. You must createservice creds for the server in the form 'nfs/<fqdn>@<REALM>' andinstall them in /etc/krb5.keytab. The standard heimdal utility ktutilmakes this fairly easy. After the service creds have been created, youcan add a '-sec=krb5' option to /etc/exports and restart both mountdand nfsd.The only other difference an administrator should notice is that nfsddoesn't fork to create service threads any more. In normal operation,there will be two nfsd processes, one in userland waiting for TCPconnections and one in the kernel handling requests. The latterprocess will create as many kthreads as required - these should bevisible via 'top -H'. The code has some support for varying the numberof service threads according to load but initially at least, nfsd usesa fixed number of threads according to the value supplied to its '-n'option.Sponsored by: Isilon SystemsMFC after: 1 month List of files: /src/etc/gss/mech Mon, 03 Nov 2008 10:38:00 +0000 Doug Rabson <dfr@FreeBSD.org> 33f12199250a09b573f7a518b523fdac3f120b8f - Fix conflicts after heimdal-1.1 import and add build infrastructure. Import http://opengrok.net:8080/history/src/etc/gss/mech#33f12199250a09b573f7a518b523fdac3f120b8f Fix conflicts after heimdal-1.1 import and add build infrastructure. Importall non-style changes made by heimdal to our own libgssapi. List of files: /src/etc/gss/mech Wed, 07 May 2008 13:53:12 +0000 Doug Rabson <dfr@FreeBSD.org> 9f0c02d4255b2036f652c924d3df4fa88c7c721a - Update the shlib version for libgssapi_krb5. This file needs to be updated http://opengrok.net:8080/history/src/etc/gss/mech#9f0c02d4255b2036f652c924d3df4fa88c7c721a Update the shlib version for libgssapi_krb5. This file needs to be updatedanytime that library version is bumped.XXX: I wonder if this breaks any 6.x binaries using Kerberos5 via GSSAPI. List of files: /src/etc/gss/mech Tue, 27 Nov 2007 21:47:56 +0000 John Baldwin <jhb@FreeBSD.org> c0b9f4fe659b6839541970eb5675e57f4d814969 - Add a new extensible GSS-API layer which can support GSS-API plugins, http://opengrok.net:8080/history/src/etc/gss/mech#c0b9f4fe659b6839541970eb5675e57f4d814969 Add a new extensible GSS-API layer which can support GSS-API plugins,similar the the Solaris implementation. Repackage the krb5 GSS mechanismas a plugin library for the new implementation. This also includes acomprehensive set of manpages for the GSS-API functions with text mostlytaken from the RFC.Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts) List of files: /src/etc/gss/mech Thu, 29 Dec 2005 14:40:22 +0000 Doug Rabson <dfr@FreeBSD.org>