[PATCH 0/3] keyutils: request_key and DNS resolver changes
David Howells
dhowells at redhat.com
Thu Sep 13 14:08:37 UTC 2018
Here's a set of keyutils patches that makes it possible to override the DNS
resolver (or any other upcall target). This allows the kafs-utils package to
override requests to the dns resolver and make use of static configuration in
addition to DNS lookups. This allows this function to be moved out of
keyutils and allows the dependency on krb5 to be removed.
The following changes are made:
(1) request-key now has better command-line option support for debugging the
configuration.
(2) request-key now reads all its config files and searches for the best
match rather than the first match.
'Best match' is defined as the match with the least number of characters
skipped by a wildcard, first in the left most column, then in the next
column and so on.
So in the following two config lines:
create dns_resolver * * /sbin/key.dns_resolver %k
create dns_resolver afsdb:* * /sbin/dns_afsdb %k
For dns_resolver keys, the second line is preferred if the description
matches "afsdb:*" - no matter the order in which they're encountered -
but the first line will be used otherwise.
(3) The AFS cellservdb config file parsing is removed from key.dns_resolver
and the dependencies for the krb5 profile functions are dropped.
The patches can also be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git
on branch next (bottom 3 patches).
Thanks,
David
---
David Howells (3):
request-key: Provide a command line option to suppress execution
request-key: Find best match rather than first match
Remove the dependency on MIT Kerberos
Makefile | 2
dns.afsdb.c | 268 ++++---------------------------
keyutils.spec | 2
man/request-key.8 | 31 +++-
man/request-key.conf.5 | 36 ++--
request-key.c | 419 +++++++++++++++++++++++++++++-------------------
6 files changed, 336 insertions(+), 422 deletions(-)
More information about the Linux-security-module-archive
mailing list