On 12.08.2014 21:09, Sean Noonan wrote:
We're using sasl+gssapi+kerberos to do authentication for libvirt,
including from hypervisor to hypervisor. However, the environmental
variable filtering implemented in libvirt prevents this from working, so
we're forced to run a locally patched version.
Thoughts on the following patch to pass the location of the local
credential cache as well?
--- a/src/util/vircommand.c2014-01-07 14:14:11.388934108 +
+++ b/src/util/vircommand.c2014-01-07 14:18:14.725082505 +
@@ -1314,6 +1314,7 @@
virCommandAddEnvPair(cmd, LC_ALL, C);
+virCommandAddEnvPassBlockSUID(cmd, KRB5CCNAME, NULL);
virCommandAddEnvPassBlockSUID(cmd, LD_PRELOAD, NULL);
virCommandAddEnvPassBlockSUID(cmd, LD_LIBRARY_PATH, NULL);
virCommandAddEnvPassBlockSUID(cmd, PATH, /bin:/usr/bin);
I've got some doubts whether this is the correct approach. This will pass the
environment variable to every command spawned. Do we really want every command
have access to kerberos tickets? On the other hand, we've done this for a
limited use case:
commit afc984af2e055b33f7c7b06ccacaf00103d4ce5e
Author: Michal Privoznik mpriv...@redhat.com
AuthorDate: Fri Sep 9 15:59:26 2011 +0200
Commit: Michal Privoznik mpriv...@redhat.com
CommitDate: Fri Sep 9 15:59:26 2011 +0200
virnetsocket: Pass KRB5CCNAME env variable
So we can allow GSSAPI authentication for ssh.
Signed-off-by: Matthias Witte wi...@netzquadrat.de
patch-snip/
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 275b70d..88dc2a4 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -615,6 +615,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
cmd = virCommandNew(binary ? binary : ssh);
virCommandAddEnvPassCommon(cmd);
+virCommandAddEnvPass(cmd, KRB5CCNAME);
virCommandAddEnvPass(cmd, SSH_AUTH_SOCK);
virCommandAddEnvPass(cmd, SSH_ASKPASS);
virCommandAddEnvPass(cmd, DISPLAY);
Moreover, is KRB5CCNAME enough? What about KRB5_KTNAME?
And regarding the patch itself, I think you want to increase the preallocation
constant too:
diff --git a/src/util/vircommand.c b/src/util/vircommand.c
index e775ba6..aa493cd 100644
--- a/src/util/vircommand.c
+++ b/src/util/vircommand.c
@@ -1312,7 +1312,7 @@ virCommandAddEnvPassCommon(virCommandPtr cmd)
if (!cmd || cmd-has_error)
return;
-if (VIR_RESIZE_N(cmd-env, cmd-maxenv, cmd-nenv, 9) 0) {
+if (VIR_RESIZE_N(cmd-env, cmd-maxenv, cmd-nenv, 10) 0) {
cmd-has_error = ENOMEM;
return;
}
@@ -1326,6 +1326,7 @@ virCommandAddEnvPassCommon(virCommandPtr cmd)
virCommandAddEnvPassAllowSUID(cmd, USER);
virCommandAddEnvPassAllowSUID(cmd, LOGNAME);
virCommandAddEnvPassBlockSUID(cmd, TMPDIR, NULL);
+virCommandAddEnvPassBlockSUID(cmd, KRB5CCNAME, NULL);
}
/**
Michal
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list