From: Andrew Deason Date: Mon, 10 Jun 2013 22:49:12 +0000 (-0500) Subject: Avoid calling afsconf_GetLatestKey directly X-Git-Tag: debian/1.6.1-3+deb7u1~9 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=2e431de846c64e98a8a0ed53aa01aa10da8963ee;p=packages%2Fo%2Fopenafs.git Avoid calling afsconf_GetLatestKey directly Don't call afsconf_GetLatestKey to determine whether we can print our own local tokens, since we may have keytab 'local' keys, but no DES keys. Just try to construct them and see if it fails, using afsconf_PickClientSecObj or afsconf_ClientAuth{,Secure} as appropriate. --- diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c index 53925ae06..4f5b21a83 100644 --- a/src/ptserver/ptserver.c +++ b/src/ptserver/ptserver.c @@ -210,7 +210,6 @@ main(int argc, char **argv) struct rx_service *tservice; struct rx_securityClass **securityClasses; afs_int32 numClasses; - int kerberosKeys; /* set if found some keys */ int lwps = 3; char clones[MAXHOSTSPERCELL]; afs_uint32 host = htonl(INADDR_ANY); @@ -455,16 +454,6 @@ main(int argc, char **argv) pr_realmName = info.name; { - afs_int32 kvno; /* see if there is a KeyFile here */ - struct ktc_encryptionKey key; - code = afsconf_GetLatestKey(prdir, &kvno, &key); - kerberosKeys = (code == 0); - if (!kerberosKeys) - printf - ("ptserver: can't find any Kerberos keys, code = %d, ignoring\n", - code); - } - if (kerberosKeys) { /* initialize ubik */ ubik_CRXSecurityProc = afsconf_ClientAuth; ubik_CRXSecurityRock = prdir; diff --git a/src/ptserver/ptuser.c b/src/ptserver/ptuser.c index 538b6dcd5..b65447281 100644 --- a/src/ptserver/ptuser.c +++ b/src/ptserver/ptuser.c @@ -292,16 +292,13 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell) * to force use of the KeyFile. secLevel == 0 implies -noauth was * specified. */ if (secLevel == 2) { - code = afsconf_GetLatestKey(tdir, 0, 0); + secFlags = AFSCONF_SECOPTS_LOCALAUTH; + secFlags |= AFSCONF_SECOPTS_ALWAYSENCRYPT; + code = afsconf_PickClientSecObj(tdir, secFlags, &info, cell, &sc, &scIndex, NULL); if (code) { afs_com_err(whoami, code, "(getting key from local KeyFile)\n"); - } else { - /* If secLevel is two assume we're on a file server and use - * ClientAuthSecure if possible. */ - code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex); - if (code) - afs_com_err(whoami, code, "(calling client secure)\n"); } + } else if (secLevel > 0) { secFlags = 0; if (secLevel > 1) diff --git a/src/viced/host.c b/src/viced/host.c index ee5c1620e..8b9cacd2e 100644 --- a/src/viced/host.c +++ b/src/viced/host.c @@ -305,15 +305,12 @@ hpr_Initialize(struct ubik_client **uclient) /* Most callers use secLevel==1, however, the fileserver uses secLevel==2 * to force use of the KeyFile. secLevel == 0 implies -noauth was * specified. */ - if ((afsconf_GetLatestKey(tdir, 0, 0) == 0)) { - code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex); - if (code) - ViceLog(0, ("hpr_Initialize: clientauthsecure returns %d %s (so trying noauth)", code, afs_error_message(code))); - if (code) - scIndex = RX_SECIDX_NULL; - } else { - afsconf_ClientAuthToken(&info, 0, &sc, &scIndex, NULL); - } + code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex); + if (code) + ViceLog(0, ("hpr_Initialize: clientauthsecure returns %d %s (so trying noauth)", code, afs_error_message(code))); + if (code) + scIndex = RX_SECIDX_NULL; + if ((scIndex == RX_SECIDX_NULL) && (sc == NULL)) sc = rxnull_NewClientSecurityObject(); if (scIndex == RX_SECIDX_NULL)