git.michaelhowe.org Git - packages/o/openafs.git/commit

author	Benjamin Kaduk <kaduk@mit.edu>
	Fri, 12 Jul 2019 04:07:35 +0000 (21:07 -0700)
committer	Stephan Wiesand <stephan.wiesand@desy.de>
	Sun, 26 Jan 2020 11:56:24 +0000 (06:56 -0500)
commit	20cd3ab424dd8b68d8870582c817c6b190480205
tree	48e8c7ffa35a38773576dbfa2cf464104e648529	tree \| snapshot
parent	b28a61fc0b633514c762e34a0b26350280e74405	commit \| diff

aklog: require opt-in to enable single-DES in libkrb5

Since the introduction of rxkad-k5 in response to OPENAFS-SA-2013-003,
it is not strictly necessary to configure libkrb5 to allow weak crypto
in order to obtain an AFS token. A sufficient amount of time has passed
since then that it is safe to assume that the default behavior is the
more-secure one, and require opt-in for the insecure behavior.

To indicate that the use of single-DES is quite risky, add the
"-insecure_des" argument to both klog and aklog, to gate the
preexisting calls that enable weak crypto/single-DES.
These calls, and the -insecure_des option, may be removed entirely
in a future commit.

Reviewed-on: https://gerrit.openafs.org/13689
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit eaae6eba8ca10ba7a5a20ee0d1b5f91bc2bac6c6)

Change-Id: I197042e12567fa0fed1b6584e85c3f0a520efa4c
Reviewed-on: https://gerrit.openafs.org/13791
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>

doc/man-pages/pod1/aklog.pod		diff \| blob \| history
doc/man-pages/pod1/klog.krb5.pod		diff \| blob \| history
src/aklog/aklog.c		diff \| blob \| history
src/aklog/klog.c		diff \| blob \| history