I got the following patches from Eric J. Barkie.
Purpose:
The main purpose of the client-side certificate patch is for restricting
access to repositories when dealing with licensed RPMS/distributions,
ie: RHEL. The typical use would be to generate a CA and then with that
CA issue a certificate to each machine that will be running yum. The
main repository would be hosted with Apache under mod_ssl with the
SSLCACertificateFile set to your CA and SSLVerifyClient set to
"require". By doing this Apache takes care of the authentication and we
can ensure that the yum repository can only be accessed by the intended
clients.
Take a look and let me know what you think.
Tim
--- yum-3.1.6/yum/config.py.orig 2007-04-20 05:10:46.000000000 -0400
+++ yum-3.1.6/yum/config.py 2007-04-20 05:56:16.000000000 -0400
@@ -500,6 +500,7 @@
proxy = UrlOption(schemes=('http', 'ftp', 'https'), allow_none=True)
proxy_username = Option()
proxy_password = Option()
+ client_cert = Option()
installonlypkgs = ListOption(['kernel', 'kernel-bigmem',
'kernel-enterprise','kernel-smp', 'kernel-modules', 'kernel-debug',
'kernel-unsupported', 'kernel-source', 'kernel-devel'])
@@ -553,6 +554,7 @@
proxy_password = Inherit(YumConf.proxy_password)
retries = Inherit(YumConf.retries)
failovermethod = Inherit(YumConf.failovermethod)
+ client_cert = Inherit(YumConf.client_cert)
gpgcheck = Inherit(YumConf.gpgcheck)
keepalive = Inherit(YumConf.keepalive)
--- yum-3.1.6/yum/__init__.py.orig 2007-04-20 05:10:46.000000000 -0400
+++ yum-3.1.6/yum/__init__.py 2007-04-20 06:33:23.000000000 -0400
@@ -2025,7 +2025,7 @@
# Go get the GPG key from the given URL
try:
- rawkey = urlgrabber.urlread(keyurl, limit=9999)
+ rawkey = urlgrabber.urlread(keyurl, limit=9999, ssl_client_cert=self.conf.client_cert)
except urlgrabber.grabber.URLGrabError, e:
raise Errors.YumBaseError('GPG key retrieval failed: ' +
str(e))
--- yum-3.1.6/yum/yumRepo.py.orig 2007-04-20 05:10:46.000000000 -0400
+++ yum-3.1.6/yum/yumRepo.py 2007-04-20 09:48:19.000000000 -0400
@@ -288,9 +288,9 @@
output = '[%s]\n' % self.id
vars = ['name', 'bandwidth', 'enabled', 'enablegroups',
'gpgcheck', 'includepkgs', 'keepalive', 'proxy',
- 'proxy_password', 'proxy_username', 'exclude',
- 'retries', 'throttle', 'timeout', 'mirrorlist',
- 'cachedir', 'gpgkey', 'pkgdir', 'hdrdir']
+ 'proxy_password', 'proxy_username', 'client_cert',
+ 'exclude', 'retries', 'throttle', 'timeout',
+ 'mirrorlist', 'cachedir', 'gpgkey', 'pkgdir', 'hdrdir']
vars.sort()
for attr in vars:
output = output + '%s = %s\n' % (attr, getattr(self, attr))
@@ -368,7 +368,8 @@
interrupt_callback=self.interrupt_callback,
timeout=self.timeout,
http_headers=headers,
- reget='simple')
+ reget='simple',
+ ssl_client_cert=self.client_cert)
self.grab = mgclass(self.grabfunc, self.urls,
@@ -408,7 +409,7 @@
goodurls = []
if self.mirrorlist and not self.mirrorlistparsed:
- mirrorurls = getMirrorList(self.mirrorlist, self.proxy_dict)
+ mirrorurls = getMirrorList(self.mirrorlist, self.proxy_dict, self.client_cert)
self.mirrorlistparsed = 1
for url in mirrorurls:
url = parser.varReplace(url, self.yumvar)
@@ -761,7 +762,7 @@
self.interrupt_callback = callback
self.setupGrab()
-def getMirrorList(mirrorlist, pdict = None):
+def getMirrorList(mirrorlist, pdict = None, client_cert = None):
"""retrieve an up2date-style mirrorlist file from a url,
we also s/$ARCH/$BASEARCH/ and move along
returns a list of the urls from that file"""
@@ -780,7 +781,7 @@
url = mirrorlist
try:
- fo = urlresolver.urlopen(url, proxies=pdict)
+ fo = urlresolver.urlopen(url, proxies=pdict, ssl_client_cert=client_cert)
except urlgrabber.grabber.URLGrabError, e:
print "Could not retrieve mirrorlist %s error was\n%s" % (url, e)
fo = None
_______________________________________________
Yum-devel mailing list
[email protected]
https://lists.dulug.duke.edu/mailman/listinfo/yum-devel
