Commit c608941f authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis

Use AUTHENTICATION_METHOD setting

The valid authentication methods are:

 - plain (nsupdate)
 - bind9 (nsupdate -k)
 - kerberos (nsupdate -g)

The plain method assumes that the server allows updates without
authentication (e.g. allow-update { 192.0.2.1;};). The bind9 method
uses the -k option and requires a keyfile. The kerberos method uses
the -g option and requires a principal and a keytab. For backwards
compatibility if AUTHENTICATION_METHOD setting is missing in
defaults file we use bind9.
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent 6ea8e9ae
......@@ -371,13 +371,19 @@ get_eui64 () {
send_command () {
local command="$1"
log "* $command"
if [ -e "$KEYFILE" ]; then
if [ "$AUTHENTICATION_METHOD" == "bind9" ]; then
nsupdate_command="nsupdate -k $KEYFILE"
elif [ -n "$KERBEROS_PRINCIPAL" ]; then
elif [ "$AUTHENTICATION_METHOD" == "kerberos" ]; then
nsupdate_command="KR5BCCNAME=$KERBEROS_TICKET nsupdate -g"
k5start -k $KERBEROS_TICKET -u $KERBEROS_PRINCIPAL -f $KERBEROS_KEYTAB $KERBEROS_KSTART_ARGS
elif [ "$AUTHENTICATION_METHOD" == "plain" ]; then
nsupdate_command="nsupdate"
else
log "* Invalid authentication method: $AUTHENTICATION_METHOD."
return
fi
log "* $nsupdate_command"
log "* $command"
$nsupdate_command > /dev/null << EOF
server $SERVER
$command
......
......@@ -43,7 +43,6 @@ SERVER=""
FZONE=""
# the file with dns authorization keys
KEYFILE=""
MAC2EUI64="/usr/bin/mac2eui64"
# kerberos authentication settings
# Will be used with kstart and ktutil
......@@ -52,6 +51,9 @@ KERBEROS_KEYTAB=/etc/krb5.keytab
KERBEROS_KSTART_ARGS="-H 1 -l 1h"
KERBEROS_TICKET=/var/lib/snf-network/snf-network-kerberos.tkt
# Default authentication method
AUTHENTICATION_METHOD=bind9
source /etc/default/snf-network
source /usr/lib/snf-network/common.sh
......@@ -60,12 +62,14 @@ if [ -z "$SERVER" -o -z "$FZONE" ]; then
exit 0
fi
if [ -e "$KEYFILE" ]; then
log "Will use $KEYFILE keyfile for nsupdate."
elif [ -n "$KERBEROS_PRINCIPAL" ]; then
log "Will use $KERBEROS_PRINCIPAL kerberos principal for nsupdate."
if [ "$AUTHENTICATION_METHOD" == "bind9" -a -e "$KEYFILE" ]; then
log "Will use $KEYFILE keyfile for nsupdate (bind9 method)."
elif [ "$AUTHENTICATION_METHOD" == "kerberos" -a -n "$KERBEROS_PRINCIPAL" ]; then
log "Will use $KERBEROS_PRINCIPAL principal for nsupdate (kerberos method)."
elif [ "$AUTHENTICATION_METHOD" == "plain" ]; then
log "Will use no authentication (plain method)"
else
log "Neither KEYFILE nor KERBEROS_PRINCIPAL defined! Aborting.."
log "No AUTHENTICATION_METHOD defined! Aborting.."
exit 0
fi
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment