From: Michael Tremer Date: Tue, 24 Jun 2025 14:31:57 +0000 (+0000) Subject: daemon: Remove Kerberos authentication X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba1ae3c50383f3bb5ad58c07967eda581fc4ee22;p=pakfire.git daemon: Remove Kerberos authentication Signed-off-by: Michael Tremer --- diff --git a/src/pakfire/daemon.c b/src/pakfire/daemon.c index 705f8cbd..5f43dad2 100644 --- a/src/pakfire/daemon.c +++ b/src/pakfire/daemon.c @@ -23,8 +23,6 @@ #include -#include - #include #include #include @@ -45,12 +43,6 @@ #define PAKFIRE_STATS_WHEN_BUSY S_TO_US(15) #define PAKFIRE_STATS_WHEN_IDLE S_TO_US(60) -// Store all Kerberos credentials in memory -#define KRB5_CREDENTIALS_CACHE "MEMORY:" - -// The default keytab -#define KRB5_DEFAULT_KEYTAB "/etc/krb5.keytab" - #define MAX_JOBS 64 struct pakfire_daemon { @@ -66,9 +58,6 @@ struct pakfire_daemon { // URL char url[PATH_MAX]; - // Kerberos Keytab - char keytab[PATH_MAX]; - // Event Loop sd_event* loop; @@ -76,18 +65,6 @@ struct pakfire_daemon { sd_bus* bus; int inhibitfd; - // Kerberos Authentication - struct { - // Context - krb5_context ctx; - - // Credentials Cache - krb5_ccache ccache; - - // Host Princial - krb5_principal principal; - } krb5; - // Authentication Timer sd_event_source* auth_timer; @@ -905,197 +882,12 @@ static int pakfire_daemon_SIGCHLD(sd_event_source* s, const struct signalfd_sigi return 0; } -static int pakfire_daemon_setup_krb5(struct pakfire_daemon* daemon) { - char hostname[HOST_NAME_MAX]; - const char* error = NULL; - char* name = NULL; - int r; - - // Fetch our own hostname - r = gethostname(hostname, sizeof(hostname)); - if (r < 0) { - ERROR(daemon->ctx, "Could not fetch hostname: %m\n"); - r = -errno; - goto ERROR; - } - - // Setup a Kerberos context - r = krb5_init_context(&daemon->krb5.ctx); - if (r) { - error = krb5_get_error_message(daemon->krb5.ctx, r); - - ERROR(daemon->ctx, "Could not initialize Kerberos: %s\n", error); - goto ERROR; - } - - // Make the principal - r = krb5_sname_to_principal(daemon->krb5.ctx, - hostname, "host", KRB5_NT_SRV_HST, &daemon->krb5.principal); - if (r) { - error = krb5_get_error_message(daemon->krb5.ctx, r); - - ERROR(daemon->ctx, "Could not generate the host principal: %s\n", error); - goto ERROR; - } - - // Print the principal name - r = krb5_unparse_name(daemon->krb5.ctx, daemon->krb5.principal, &name); - if (r) { - error = krb5_get_error_message(daemon->krb5.ctx, r); - - ERROR(daemon->ctx, "Could not print the host principal: %s\n", error); - goto ERROR; - } - - DEBUG(daemon->ctx, "Authenticating as: %s\n", name); - - // Set the credentials cache environment variable - r = setenv("KRB5CCNAME", KRB5_CREDENTIALS_CACHE, 1); - if (r < 0) { - ERROR(daemon->ctx, "Could not set KRB5CCNAME: %m\n"); - r = -errno; - goto ERROR; - } - -ERROR: - if (error) - krb5_free_error_message(daemon->krb5.ctx, error); - if (name) - krb5_free_unparsed_name(daemon->krb5.ctx, name); - - return r; -} - static int pakfire_daemon_auth(sd_event_source* s, uint64_t usec, void* data) { struct pakfire_daemon* daemon = data; - krb5_get_init_creds_opt* options = NULL; - krb5_keytab keytab = NULL; - krb5_creds creds = {}; - const char* error = NULL; - char time[128]; - char* p = NULL; - int r; DEBUG(daemon->ctx, "Authenticating...\n"); - // Resolve the keytab - r = krb5_kt_resolve(daemon->krb5.ctx, daemon->keytab, &keytab); - if (r) { - error = krb5_get_error_message(daemon->krb5.ctx, r); - - ERROR(daemon->ctx, "Could not resolve the keytab: %s\n", error); - goto ERROR; - } - - // Fetch the credentials using the keytab - r = krb5_get_init_creds_keytab(daemon->krb5.ctx, &creds, daemon->krb5.principal, - keytab, 0, NULL, options); - if (r) { - switch (r) { - // If we could not reach the KDC, we will try again after one minute - case KRB5_KDC_UNREACH: - DEBUG(daemon->ctx, "Failed to contact the KDC. Retrying in 60 seconds...\n"); - - // Reset the timer - r = sd_event_source_set_time_relative(daemon->auth_timer, S_TO_US(60)); - if (r < 0) { - ERROR(daemon->ctx, "Could not reset the auth timer: %s\n", strerror(-r)); - goto ERROR; - } - - // Reset r - r = 0; - goto ERROR; - - // Fail for everything else - default: - error = krb5_get_error_message(daemon->krb5.ctx, r); - - ERROR(daemon->ctx, "Could not fetch credentials: %s\n", error); - goto ERROR; - } - } - - // Determine the end time - time_t t_end = creds.times.endtime; - - // Format the expiry time - p = ctime_r(&t_end, time); - if (!p) { - ERROR(daemon->ctx, "Could not format the expiry time: %m\n"); - r = -errno; - goto ERROR; - } - - DEBUG(daemon->ctx, "Successfully fetched credentials\n"); - DEBUG(daemon->ctx, " Expires: %s\n", time); - - // Destroy the content of the cache - if (daemon->krb5.ccache) { - r = krb5_cc_destroy(daemon->krb5.ctx, daemon->krb5.ccache); - if (r) { - error = krb5_get_error_message(daemon->krb5.ctx, r); - - ERROR(daemon->ctx, "Failed to destroy the credentials cache: %s\n", error); - r = -ENOTSUP; - goto ERROR; - } - } - - // Create a new credentials cache - r = krb5_cc_resolve(daemon->krb5.ctx, KRB5_CREDENTIALS_CACHE, &daemon->krb5.ccache); - if (r) { - error = krb5_get_error_message(daemon->krb5.ctx, r); - - ERROR(daemon->ctx, "Could not resolve the credentials cache: %s\n", error); - r = -EINVAL; - goto ERROR; - } - - // Initialize the cache for the principal - r = krb5_cc_initialize(daemon->krb5.ctx, daemon->krb5.ccache, daemon->krb5.principal); - if (r) { - error = krb5_get_error_message(daemon->krb5.ctx, r); - - ERROR(daemon->ctx, "Could not initialize the credentials cache: %s\n", error); - r = -EINVAL; - goto ERROR; - } - - // Store the credentials in the cache - r = krb5_cc_store_cred(daemon->krb5.ctx, daemon->krb5.ccache, &creds); - if (r) { - error = krb5_get_error_message(daemon->krb5.ctx, r); - - ERROR(daemon->ctx, "Could not store credentials: %s\n", error); - r = -EINVAL; - goto ERROR; - } - - // Refresh one hour before the expiry time - uint64_t t_refresh = S_TO_US(t_end - 3600); - - // Authenticate again just before the credentials expire - r = sd_event_source_set_time(daemon->auth_timer, t_refresh); - if (r < 0) { - ERROR(daemon->ctx, "Could not reset the auth timer: %s\n", strerror(-r)); - goto ERROR; - } - - // Turn on the connection timer - r = sd_event_source_set_enabled(daemon->connect_timer, SD_EVENT_ONESHOT); - if (r < 0) { - ERROR(daemon->ctx, "Could not enable the connection timer: %s\n", strerror(-r)); - goto ERROR; - } - -ERROR: - if (error) - krb5_free_error_message(daemon->krb5.ctx, error); - if (keytab) - krb5_kt_close(daemon->krb5.ctx, keytab); - - return r; + return 0; } static int pakfire_daemon_prepare_for_shutdown( @@ -1257,7 +1049,6 @@ static int pakfire_daemon_setup_loop(struct pakfire_daemon* daemon) { static int pakfire_daemon_configure(struct pakfire_daemon* daemon) { struct pakfire_config* config = NULL; - const char* keytab = NULL; const char* url = NULL; int r; @@ -1277,14 +1068,6 @@ static int pakfire_daemon_configure(struct pakfire_daemon* daemon) { if (r < 0) goto ERROR; - // Fetch the keytab - keytab = pakfire_config_get(config, "daemon", "keytab", KRB5_DEFAULT_KEYTAB); - - // Store the keytab - r = pakfire_string_set(daemon->keytab, keytab); - if (r < 0) - goto ERROR; - ERROR: if (config) pakfire_config_unref(config); @@ -1296,13 +1079,6 @@ static void pakfire_daemon_free(struct pakfire_daemon* daemon) { // Release shutdown inhibition pakfire_daemon_release_inhibit_shutdown(daemon); - if (daemon->krb5.principal) - krb5_free_principal(daemon->krb5.ctx, daemon->krb5.principal); - if (daemon->krb5.ccache) - krb5_cc_destroy(daemon->krb5.ctx, daemon->krb5.ccache); - if (daemon->krb5.ctx) - krb5_free_context(daemon->krb5.ctx); - if (daemon->auth_timer) sd_event_source_unref(daemon->auth_timer); if (daemon->connect_timer) @@ -1359,11 +1135,6 @@ int pakfire_daemon_create(struct pakfire_daemon** daemon, struct pakfire_ctx* ct if (r < 0) goto ERROR; - // Setup Kerberos Authentication - r = pakfire_daemon_setup_krb5(d); - if (r) - goto ERROR; - // Connect to the build service r = pakfire_client_create(&d->client, d->ctx, d->url); if (r < 0)