~~~~~~~~~~~~~~~~~~~~~~~~
GSSAPI mechanism modules are registered using the file
-``/etc/gss/mech`` or configuration files in the ``/etc/gss/mech.d/``
-directory. Only files with a ``.conf`` suffix will be read from the
-``/etc/gss/mech.d/`` directory. Each line in these files has the
-form::
+|sysconfdir|\ ``/gss/mech`` or configuration files in the
+|sysconfdir|\ ``/gss/mech.d`` directory with a ``.conf``
+suffix. Each line in these files has the form::
oid pathname [options] <type>
Currently the only special module type is "interposer", for a module
designed to intercept calls to other mechanisms.
+If the environment variable **GSS_MECH_CONFIG** is set, its value is
+used as the sole mechanism configuration filename.
+
.. _profile_plugin_config:
Kerberos config file :ref:`krb5.conf(5)` |krb5conf|\ ``:``\ **KRB5_CONFIG**
|sysconfdir|\ ``/krb5.conf``
KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB5_KDC_PROFILE**
+GSS mechanism config file |sysconfdir|\ ``/gss.mech`` **GSS_MECH_CONFIG**
KDC database path (DB2) |kdcdir|\ ``/principal``
Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm*
Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl``
A mechanism module is a Unix shared object or Windows DLL, built
separately from the krb5 tree. Modules are loaded according to the
-``/etc/gss/mech`` or ``/etc/gss/mech.d/*.conf`` config files, as
-described in :ref:`gssapi_plugin_config`.
+GSS mechanism config files described in :ref:`gssapi_plugin_config`.
For the most part, a GSSAPI mechanism module exports the same
functions as would a GSSAPI implementation itself, with the same
gss_OID_set gss_mech_interposer(gss_OID mech_type);
This function is invoked with the OID of the interposer mechanism as
-specified in ``/etc/gss/mech`` or in a ``/etc/gss/mech.d/*.conf``
-file, and returns a set of mechanism OIDs to be interposed. The
-returned OID set must have been created using the mechglue's
-gss_create_empty_oid_set and gss_add_oid_set_member functions.
+specified in the mechanism config file, and returns a set of mechanism
+OIDs to be interposed. The returned OID set must have been created
+using the mechglue's gss_create_empty_oid_set and
+gss_add_oid_set_member functions.
An interposer module must use the prefix ``gssi_`` for the GSSAPI
functions it exports, instead of the prefix ``gss_``.
**KPROP_PORT**
:ref:`kprop(8)` port to use. Defaults to 754.
+**GSS_MECH_CONFIG**
+ Specifies a filename containing GSSAPI mechanism module
+ configuration. The default is to read |sysconfdir|\ ``/gss/mech``
+ and files with a ``.conf`` suffix within the directory
+ |sysconfdir|\ ``/gss/mech.d``.
+
Most environment variables are disabled for certain programs, such as
login system programs and setuid programs, which are designed to be
secure when run within an untrusted process environment.
KRB5_KTNAME=$K5ROOT/ovsec_adm.keytab; export KRB5_KTNAME
KRB5_CLIENT_KTNAME=$K5ROOT/client_keytab; export KRB5_CLIENT_KTNAME
KRB5CCNAME=$K5ROOT/krb5cc_unit-test; export KRB5CCNAME
+GSS_MECH_CONFIG=$K5ROOT/mech.conf; export GSS_MECH_CONFIG
# Make sure we don't get confused by translated messages
# or localized times.
setenv KRB5_KDC_PROFILE $KRB5_KDC_PROFILE
setenv KRB5_KTNAME $KRB5_KTNAME
setenv KRB5_CLIENT_KTNAME $KRB5_CLIENT_KTNAME
+setenv GSS_MECH_CONFIG $GSS_MECH_CONFIG
$KRB5_RUN_ENV_CSH
EOF
glob_t globbuf;
time_t highest = 0, now;
char **path;
+ const char *val;
/* Don't glob and stat more than once per second. */
if (time(&now) == (time_t)-1 || now == g_confLastCall)
return;
g_confLastCall = now;
+ val = secure_getenv("GSS_MECH_CONFIG");
+ if (val != NULL) {
+ load_if_changed(val, g_confFileModTime, &g_confFileModTime);
+ return;
+ }
+
load_if_changed(MECH_CONF, g_confFileModTime, &highest);
memset(&globbuf, 0, sizeof(globbuf));
.TP
\fBKPROP_PORT\fP
kprop(8) port to use. Defaults to 754.
+.TP
+\fBGSS_MECH_CONFIG\fP
+Specifies a filename containing GSSAPI mechanism module
+configuration. The default is to read \fB@SYSCONFDIR@\fP\fB/gss/mech\fP
+and files with a \fB\&.conf\fP suffix within the directory
+\fB@SYSCONFDIR@\fP\fB/gss/mech.d\fP\&.
.UNINDENT
.sp
Most environment variables are disabled for certain programs, such as
gss-threads misc threads softpkcs11
RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
- LC_ALL=C $(VALGRIND)
+ GSS_MECH_CONFIG=mech.conf LC_ALL=C $(VALGRIND)
OBJS= adata.o etinfo.o forward.o gcred.o hist.o hooks.o hrealm.o \
icinterleave.o icred.o kdbtest.o localauth.o plugorder.o rdreq.o \
#
set envvars_tosave {
KRB5_CONFIG KRB5CCNAME KRB5_CLIENT_KTNAME KRB5RCACHEDIR KRB5_KDC_PROFILE
+ GSS_MECH_CONFIG
}
set krb5_init_vars [list ]
# XXX -- fix me later!
catch "unset orig_krb5rcachedir"
}
+if [ info exists env(GSS_MECH_CONFIG)] {
+ set orig_gss_mech_config $env(GSS_MECH_CONFIG)
+} else {
+ catch "unset orig_gss_mech_config"
+}
+
# setup_kerberos_env
# Set the environment variables needed to run Kerberos programs.
set env(KRB5RCACHEDIR) $tmppwd
verbose "KRB5RCACHEDIR=$env(KRB5RCACHEDIR)"
+ # Direct the GSS library at a nonexistent file in the temporary
+ # directory, to avoid interference from system configuration.
+ set env(GSS_MECH_CONFIG) $tmppwd/mech.conf
+ verbose "GSS_MECH_CONFIG=$env(GSS_MECH_CONFIG)"
+
# Get the run time environment variables... (including LD_LIBRARY_PATH)
setup_runtime_env
puts $envfile "KRB5CCNAME=$env(KRB5CCNAME)"
puts $envfile "KRB5_CLIENT_KTNAME=$env(KRB5_CLIENT_KTNAME)"
puts $envfile "KRB5RCACHEDIR=$env(KRB5RCACHEDIR)"
+ puts $envfile "GSS_MECH_CONFIG=$env(GSS_MECH_CONFIG)"
if [info exists env(KRB5_KDC_PROFILE)] {
puts $envfile "KRB5_KDC_PROFILE=$env(KRB5_KDC_PROFILE)"
} else {
}
puts $envfile "export KRB5_CONFIG KRB5CCNAME KRB5RCACHEDIR"
puts $envfile "export KRB5_KDC_PROFILE KRB5_CLIENT_KTNAME"
+ puts $envfile "export GSS_MECH_CONFIG"
foreach i $krb5_init_vars {
regexp "^(\[^=\]*)=(.*)" $i foo evar evalue
puts $envfile "$evar=$env($evar)"
puts $envfile "setenv KRB5CCNAME $env(KRB5CCNAME)"
puts $envfile "setenv KRB5_CLIENT_KTNAME $env(KRB5_CLIENT_KTNAME)"
puts $envfile "setenv KRB5RCACHEDIR $env(KRB5RCACHEDIR)"
+ puts $envfile "setenv GSS_MECH_CONFIG $env(GSS_MECH_CONFIG)"
if [info exists env(KRB5_KDC_PROFILE)] {
puts $envfile "setenv KRB5_KDC_PROFILE $env(KRB5_KDC_PROFILE)"
} else {
self.keytab = os.path.join(self.testdir, 'keytab')
self.client_keytab = os.path.join(self.testdir, 'client_keytab')
self.ccache = os.path.join(self.testdir, 'ccache')
+ self.gss_mech_config = os.path.join(self.testdir, 'mech.conf')
self.kadmin_ccache = os.path.join(self.testdir, 'kadmin_ccache')
self._krb5_conf = _cfg_merge(_default_krb5_conf, krb5_conf)
base_kdc_conf = _default_kdc_conf
env['KRB5RCACHEDIR'] = self.testdir
env['KPROPD_PORT'] = str(self.kprop_port())
env['KPROP_PORT'] = str(self.kprop_port())
+ env['GSS_MECH_CONFIG'] = self.gss_mech_config
return env
def run(self, args, env=None, **keywords):
projects / thirdparty / krb5.git / commitdiff
