1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
From 85d002123e5dea3de2499617d619253023335d8e Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 12 Aug 2011 14:48:32 +0200
Subject: [PATCH 1/2] added --delegation
Using this option with an argument being set to one of
none/policy/always instructs libcurl how to deal with GSS
credentials. Or rather how it tells the server that delegation is fine
or not.
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/main.c | 24 ++++++++++++++++++++++++
1 files changed, 24 insertions(+), 0 deletions(-)
diff --git a/src/main.c b/src/main.c
index 44dd2c4..0753429 100644
--- a/src/main.c
+++ b/src/main.c
@@ -359,6 +359,7 @@ struct Configurable {
int ftp_filemethod;
bool ignorecl; /* --ignore-content-length */
+ long gssapi_delegation;
};
#define WARN_PREFIX "Warning: "
@@ -489,6 +490,7 @@ static void help(void)
" --data-ascii <data> HTTP POST ASCII data (H)",
" --data-binary <data> HTTP POST binary data (H)",
" --negotiate Use HTTP Negotiate Authentication (H)",
+ " --delegation STRING GSS-API delegation permission",
" --digest Use HTTP Digest Authentication (H)",
" --disable-eprt Inhibit using EPRT or LPRT (F)",
" --disable-epsv Inhibit using EPSV (F)",
@@ -1097,6 +1099,18 @@ static int formparse(struct Configurable *config,
return 0;
}
+static long delegation(struct Configurable *config,
+ char *str)
+{
+ if(!strcasecmp("none", str))
+ return CURLGSSAPI_DELEGATION_NONE;
+ if(!strcasecmp("policy", str))
+ return CURLGSSAPI_DELEGATION_POLICY_FLAG;
+ if(!strcasecmp("always", str))
+ return CURLGSSAPI_DELEGATION_FLAG;
+ warnf(config, "unrecognized delegation method '%s', using none\n", str);
+ return CURLGSSAPI_DELEGATION_NONE;
+}
typedef enum {
PARAM_OK,
@@ -1351,6 +1365,8 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
{"$v", "ftp-ssl-reqd", FALSE},
{"$w", "proxy-negotiate", FALSE},
+ {"$G", "delegation", TRUE},
+
{"0", "http1.0", FALSE},
{"1", "tlsv1", FALSE},
{"2", "sslv2", FALSE},
@@ -1798,6 +1814,9 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
else
return PARAM_LIBCURL_DOESNT_SUPPORT;
break;
+ case 'G': /* --delegation LEVEL */
+ config->gssapi_delegation = delegation(config, nextarg);
+ break;
}
break;
case '#': /* --progress-bar */
@@ -4029,6 +4048,11 @@ operate(struct Configurable *config, int argc, char *argv[])
/* curl x.xx.x */
curl_easy_setopt(curl, CURLOPT_FTP_ALTERNATIVE_TO_USER, config->ftp_alternative_to_user);
+ /* new in 7.22.0 */
+ if(config->gssapi_delegation)
+ curl_easy_setopt(curl, CURLOPT_GSSAPI_DELEGATION,
+ config->gssapi_delegation);
+
retry_numretries = config->req_retry;
retrystart = curlx_tvnow();
--
1.7.1
From 1a5566b1e84d0143899538f469596caf8f10d666 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 12 Aug 2011 23:51:41 +0200
Subject: [PATCH 2/2] docs: --delegation
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/curl.1 | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/docs/curl.1 b/docs/curl.1
index 2658954..61bd4e9 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -256,6 +256,18 @@ the \fI--data-ascii\fP option, this is for you.
If this option is used several times, the ones following the first will
append data.
+.IP "--delegation LEVEL"
+Set \fILEVEL\fP to tell the server what it is allowed to delegate when it
+comes to user credentials. Used with GSS/kerberos.
+.RS
+.IP "none"
+Don't allow any delegation.
+.IP "policy"
+Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos
+service ticket, which is a matter of realm policy.
+.IP "always"
+Unconditionally allow the server to delegate.
+.RE
.IP "--digest"
(HTTP) Enables HTTP Digest authentication. This is a authentication that
prevents the password from being sent over the wire in clear text. Use this in
--
1.7.1
|
