]> git.michaelhowe.org Git - packages/o/openafs.git/commitdiff
projects / packages / o / openafs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 26ffbd3)
Enable weak enctypes for aklog if supported by Kerberos
authorRuss Allbery <rra@stanford.edu>
Fri, 22 Jan 2010 19:04:10 +0000 (11:04 -0800)
committerDerrick Brashear <shadow|account-1000005@unknown>
Fri, 22 Jan 2010 19:33:36 +0000 (11:33 -0800)
Current versions of both MIT Kerberos and Heimdal disable DES enctypes
by default, but DES enctypes are still required for AFS service tickets.
Probe for either krb5_allow_weak_crypto() (MIT Kerberos 1.8) or
krb5_enctype_enable() (Heimdal) and, if found, call them to enable DES
enctypes.  If neither is found, assume that the Kerberos libraries are
old enough that DES is enabled by default.

Change-Id: Ib5231bb7c2fe88f4c424628394ed08122d5710a1
Reviewed-on: http://gerrit.openafs.org/1141
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
(cherry picked from commit cb4b62a40352ccebae3a299f4327fa70fc7a0c5c)
Reviewed-on: http://gerrit.openafs.org/1145
Tested-by: Russ Allbery <rra@stanford.edu>
src/aklog/aklog_main.c patch | blob | history
src/cf/kerberos.m4 patch | blob | history

diff --git a/src/aklog/aklog_main.c b/src/aklog/aklog_main.c
index e6cee5531823c936c460c8a860740cefe0848bbc..a3df62b61d86f9f40a4bf61b2ab825a1931b6642 100644 (file)
--- a/src/aklog/aklog_main.c
+++ b/src/aklog/aklog_main.c
@@ -1258,6 +1258,19 @@ void aklog(int argc, char *argv[])
     krb5_init_context(&context);
     initialize_ktc_error_table ();
 
+    /*
+     * Enable DES enctypes, which are currently still required for AFS.
+     * krb5_allow_weak_crypto is MIT Kerberos 1.8.  krb5_enctype_enable is
+     * Heimdal.
+     */
+#if defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
+    krb5_allow_weak_crypto(context, 1);
+#elif defined(HAVE_KRB5_ENCTYPE_ENABLE)
+    i = krb5_enctype_valid(context, ETYPE_DES_CBC_CRC);
+    if (i)
+        krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
+#endif
+
     /* Initialize list of cells to which we have authenticated */
     (void)ll_init(&authedcells);
 
diff --git a/src/cf/kerberos.m4 b/src/cf/kerberos.m4
index f0bed24e39e46079154f40f217e51f153f93cb41..8ddffe0eab5e0f8b48f1b502b768db2c81fbe98a 100644 (file)
--- a/src/cf/kerberos.m4
+++ b/src/cf/kerberos.m4
@@ -60,7 +60,7 @@ if test X$conf_krb5 = XYES; then
        CPPFLAGS="$CPPFLAGS $KRB5CFLAGS"
        save_LIBS="$LIBS"
        LIBS="$LIBS $KRB5LIBS"
-       AC_CHECK_FUNCS([add_to_error_table add_error_table krb5_princ_size krb5_principal_get_comp_string encode_krb5_enc_tkt_part encode_krb5_ticket krb5_c_encrypt krb5_c_encrypt_length krb5_cc_register krb5_decode_ticket krb5_get_prompt_types])
+       AC_CHECK_FUNCS([add_to_error_table add_error_table krb5_princ_size krb5_principal_get_comp_string encode_krb5_enc_tkt_part encode_krb5_ticket krb5_c_encrypt krb5_c_encrypt_length krb5_cc_register krb5_decode_ticket krb5_get_prompt_types krb5_allow_weak_crypto krb5_enctype_enable])
        AC_CHECK_FUNCS([krb5_524_convert_creds], ,
            [AC_CHECK_FUNCS([krb524_convert_creds_kdc], ,
                [AC_CHECK_LIB([krb524], [krb524_convert_creds_kdc],