Enable weak enctypes for klog.krb5 if supported by Kerberos

The same as cb4b62a40352ccebae3a299f4327fa70fc7a0c5c, but for klog.krb5.

Current versions of both MIT Kerberos and Heimdal disable DES enctypes
by default, but DES enctypes are still required for AFS service tickets.
Probe for either krb5_allow_weak_crypto() (MIT Kerberos 1.8) or
krb5_enctype_enable() (Heimdal) and, if found, call them to enable DES
enctypes.  If neither is found, assume that the Kerberos libraries are
old enough that DES is enabled by default.

Change-Id: I99c93621c847f6edcc485207f5b6b99b2370b347
Reviewed-on: http://gerrit.openafs.org/1144
Tested-by: Russ Allbery <rra@stanford.edu>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
(cherry picked from commit f02ab3339d01bca414fe705f3a990a1db146f29b)
Reviewed-on: http://gerrit.openafs.org/1148
Tested-by: Derrick Brashear <shadow@dementia.org>

diff --git a/src/aklog/klog.c b/src/aklog/klog.c
index 2caeed1c8e2d0dc8aed23661eb1897a0cac81be7..3b8573924a04a4eb3ebe57647e582c3def997fa7 100644 (file)
--- a/src/aklog/klog.c
+++ b/src/aklog/klog.c
@@ -414,6 +414,19 @@ CommandProc(struct cmd_syndesc *as, char *arock)
        KLOGEXIT(1);
     }
 
+    /*
+     * Enable DES enctypes, which are currently still required for AFS.
+     * krb5_allow_weak_crypto is MIT Kerberos 1.8.  krb5_enctype_enable is
+     * Heimdal.
+     */
+#if defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
+    krb5_allow_weak_crypto(k5context, 1);
+#elif defined(HAVE_KRB5_ENCTYPE_ENABLE)
+    i = krb5_enctype_valid(k5context, ETYPE_DES_CBC_CRC);
+    if (i)
+        krb5_enctype_enable(k5context, ETYPE_DES_CBC_CRC);
+#endif
+
     /* Parse remaining arguments. */
 
     dosetpag = !! as->parms[aSETPAG].items;