Default to crypt mode for unix clients

Though the protection offered by rxkad, even with rxkad-k5 and rxkad-kdf, is
insufficient to protect traffic from a determined attacker, it remains the
case that the internet is not a safe place for user data to travel in the
clear, and has not been for a long time.  The Windows client encrypts by
default, and all or nearly all the Unix client packaging scripts set crypt
mode by default.  Catch up to reality and default to crypt mode in the
Unix cache manager.

Change-Id: If0061ddca3bedf0df1ade8cb61ccb710ec1181d4
Reviewed-on: https://gerrit.openafs.org/12668
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>

diff --git a/NEWS b/NEWS
index a9b6ca417e9270e2c4995fee676b314c93dafa4a..55cd568eb6f9c6111a027b17ee237ded5dea3cda 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -268,6 +268,10 @@ OpenAFS 1.8.0pre2
 
   All Client Platforms
 
+    * Use rxkad_crypt by default for connections to fileservers.  This matches
+      the existing behavior of the Windows client and has been applied by
+      the distribution packaging on many platforms already.
+
     * Add support for relative ACL changes with fs setacl. If a single plus (+)
       or minus (-) character is appended to the rights' letters argument, the
       new rights are computed relatively to the existing ones.

diff --git a/src/afs/afs_conn.c b/src/afs/afs_conn.c
index 56515c8c38f8df840a1d513b50f845e76e76b634..92e560c977e0d2e2116ab3032ebb70db8c12c336 100644 (file)
--- a/src/afs/afs_conn.c
+++ b/src/afs/afs_conn.c
@@ -44,7 +44,7 @@
 /* Exported variables */
 afs_rwlock_t afs_xconn;                /* allocation lock for new things */
 afs_rwlock_t afs_xinterface;   /* for multiple client address */
-afs_int32 cryptall = 0;                /* encrypt all communications */
+afs_int32 cryptall = 1;                /* encrypt all communications */
 
 /* some connection macros */