[cups.bugs] [MOD] STR #2045: Miscellaneous Kerberos fixes/improvements

jlovell.apple jlovell at apple.com
Fri Oct 20 17:03:37 PDT 2006 

[STR New]

Miscellaneous Kerberos fixes/improvements

Attached is a patch with some Kerberos fixes/improvements...

config-scripts/cups-gssapi.m4:
config.h.in:
scheduler/conf.c:
scheduler/conf.h:
 - Support configurable kerberos service name.

p.s. I'd argue "IPP" should be the default service name rather than
"HTTP".

cups/http.c:
  httpConnectEncrypt(): Initialize the gss context and name.
  httpClose(): Free the gss context and name.
  http_send(): Clear the kerberos authentication string since it can only
be sent once.
  http_upgrade(): Clear the copy of the field_authorization pointer to
avoid a double free later.

cups/http-support.c:
  httpEncode64_2(): Could reference a byte beyond the end of the input
string.

cups/auth.c:
  cupsDoAuthentication(): 
    - Support a configurable kerberos service name.
    - Clear gsssec context to avoid kerberos "request is a replay" errors.
    - Free allocated input_token and output_token.
    - Fix token length.
    - Don't memset 'token' since it's only a pointer.

scheduler/auth.c:
  cupsdAuthorize():
    - Support configurable kerberos service name.
    - Free gss context and name in the right places.
  cupsdIsAuthorized():
    - Don't require tls upgrade when using kerberos.
    - Fix token length.

scheduler/ipp.c:
  save_krb5_creds() doesn't yet work so just return for now...

cgi-bin/Makefile:
scheduler/Makefile:
  - Add LIBGSSAPI to test targets.

scheduler/main.c:
  - main(): Limit MaxFDs to FD_SETSIZE (from 1.2 branch).

With these changes I'm able to use kerberos authentication without any
noticeable memory leaks.
There's more to be done for cross-realm authentication and proxying TGTs
to cupsd but the kerberos support is looking very good....

Thanks!

Link: http://www.cups.org/str.php?L2045
Version: 1.3-current
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: kerberos.patch
URL: <https://lists.cups.org/pipermail/cups/attachments/20061020/55049aeb/attachment.ksh>

More information about the cups mailing list