diff --git a/src/libvirt_sasl.syms b/src/libvirt_sasl.syms index 723c59787b..405ba1813e 100644 --- a/src/libvirt_sasl.syms +++ b/src/libvirt_sasl.syms @@ -7,6 +7,7 @@ virNetClientSetSASLSession; # rpc/virnetsaslcontext.h virNetSASLContextCheckIdentity; +virNetSASLContextGetTCPMinSSF; virNetSASLContextNewClient; virNetSASLContextNewServer; virNetSASLSessionClientStart; diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c index 7076fe3294..b534cb3e37 100644 --- a/src/remote/remote_daemon.c +++ b/src/remote/remote_daemon.c @@ -405,7 +405,8 @@ daemonSetupNetworking(virNetServer *srv, #if WITH_SASL if (virNetServerNeedsAuth(srv, REMOTE_AUTH_SASL) && !(saslCtxt = virNetSASLContextNewServer( - (const char *const*)config->sasl_allowed_username_list))) + (const char *const*)config->sasl_allowed_username_list, + 56))) return -1; #endif diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c index bcfeadc2ae..96983e7937 100644 --- a/src/remote/remote_daemon_dispatch.c +++ b/src/remote/remote_daemon_dispatch.c @@ -3695,7 +3695,7 @@ remoteDispatchAuthSaslInit(virNetServer *server G_GNUC_UNUSED, else /* Plain TCP, better get an SSF layer */ virNetSASLSessionSecProps(sasl, - 56, /* Good enough to require kerberos */ + virNetSASLContextGetTCPMinSSF(saslCtxt), 100000, /* Arbitrary big number */ false); /* No anonymous */ diff --git a/src/rpc/virnetsaslcontext.c b/src/rpc/virnetsaslcontext.c index 189e70d01a..ede434ed4a 100644 --- a/src/rpc/virnetsaslcontext.c +++ b/src/rpc/virnetsaslcontext.c @@ -37,6 +37,7 @@ struct _virNetSASLContext { virObjectLockable parent; const char *const *usernameACL; + unsigned int tcpMinSSF; }; struct _virNetSASLSession { @@ -121,7 +122,8 @@ virNetSASLContext *virNetSASLContextNewClient(void) return ctxt; } -virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL) +virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL, + unsigned int tcpMinSSF) { virNetSASLContext *ctxt; @@ -133,6 +135,7 @@ virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL) return NULL; ctxt->usernameACL = usernameACL; + ctxt->tcpMinSSF = tcpMinSSF; return ctxt; } @@ -175,6 +178,12 @@ int virNetSASLContextCheckIdentity(virNetSASLContext *ctxt, } +unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt) +{ + return ctxt->tcpMinSSF; +} + + virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt G_GNUC_UNUSED, const char *service, const char *hostname, diff --git a/src/rpc/virnetsaslcontext.h b/src/rpc/virnetsaslcontext.h index 33a75e71a0..7202822e5b 100644 --- a/src/rpc/virnetsaslcontext.h +++ b/src/rpc/virnetsaslcontext.h @@ -36,11 +36,14 @@ enum { }; virNetSASLContext *virNetSASLContextNewClient(void); -virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL); +virNetSASLContext *virNetSASLContextNewServer(const char *const *usernameACL, + unsigned int min_ssf); int virNetSASLContextCheckIdentity(virNetSASLContext *ctxt, const char *identity); +unsigned int virNetSASLContextGetTCPMinSSF(virNetSASLContext *ctxt); + virNetSASLSession *virNetSASLSessionNewClient(virNetSASLContext *ctxt, const char *service, const char *hostname,