From: Andrew Deason Date: Mon, 10 Jun 2013 22:49:12 +0000 (-0500) Subject: Avoid calling afsconf_GetLatestKey directly X-Git-Tag: upstream/1.6.5^2~4 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=d2024c158e3a879305ff17cf726d3958f20677f4;p=packages%2Fo%2Fopenafs.git Avoid calling afsconf_GetLatestKey directly Don't call afsconf_GetLatestKey to determine whether we can print our own local tokens, since we may have keytab 'local' keys, but no DES keys. Just try to construct them and see if it fails, using afsconf_PickClientSecObj or afsconf_ClientAuth{,Secure} as appropriate. --- diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c index 13786c02a..4c30eb912 100644 --- a/src/ptserver/ptserver.c +++ b/src/ptserver/ptserver.c @@ -210,7 +210,6 @@ main(int argc, char **argv) struct rx_service *tservice; struct rx_securityClass **securityClasses; afs_int32 numClasses; - int kerberosKeys; /* set if found some keys */ int lwps = 3; char clones[MAXHOSTSPERCELL]; afs_uint32 host = htonl(INADDR_ANY); @@ -455,16 +454,6 @@ main(int argc, char **argv) pr_realmName = info.name; { - afs_int32 kvno; /* see if there is a KeyFile here */ - struct ktc_encryptionKey key; - code = afsconf_GetLatestKey(prdir, &kvno, &key); - kerberosKeys = (code == 0); - if (!kerberosKeys) - printf - ("ptserver: can't find any Kerberos keys, code = %d, ignoring\n", - code); - } - if (kerberosKeys) { /* initialize ubik */ ubik_CRXSecurityProc = afsconf_ClientAuth; ubik_CRXSecurityRock = prdir; diff --git a/src/ptserver/ptuser.c b/src/ptserver/ptuser.c index fb7aa0377..501fada05 100644 --- a/src/ptserver/ptuser.c +++ b/src/ptserver/ptuser.c @@ -292,16 +292,13 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell) * to force use of the KeyFile. secLevel == 0 implies -noauth was * specified. */ if (secLevel == 2) { - code = afsconf_GetLatestKey(tdir, 0, 0); + secFlags = AFSCONF_SECOPTS_LOCALAUTH; + secFlags |= AFSCONF_SECOPTS_ALWAYSENCRYPT; + code = afsconf_PickClientSecObj(tdir, secFlags, &info, cell, &sc, &scIndex, NULL); if (code) { afs_com_err(whoami, code, "(getting key from local KeyFile)\n"); - } else { - /* If secLevel is two assume we're on a file server and use - * ClientAuthSecure if possible. */ - code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex); - if (code) - afs_com_err(whoami, code, "(calling client secure)\n"); } + } else if (secLevel > 0) { secFlags = 0; if (secLevel > 1) diff --git a/src/viced/host.c b/src/viced/host.c index 9921912e6..5e4739d60 100644 --- a/src/viced/host.c +++ b/src/viced/host.c @@ -305,15 +305,12 @@ hpr_Initialize(struct ubik_client **uclient) /* Most callers use secLevel==1, however, the fileserver uses secLevel==2 * to force use of the KeyFile. secLevel == 0 implies -noauth was * specified. */ - if ((afsconf_GetLatestKey(tdir, 0, 0) == 0)) { - code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex); - if (code) - ViceLog(0, ("hpr_Initialize: clientauthsecure returns %d %s (so trying noauth)", code, afs_error_message(code))); - if (code) - scIndex = RX_SECIDX_NULL; - } else { - afsconf_ClientAuthToken(&info, 0, &sc, &scIndex, NULL); - } + code = afsconf_ClientAuthSecure(tdir, &sc, &scIndex); + if (code) + ViceLog(0, ("hpr_Initialize: clientauthsecure returns %d %s (so trying noauth)", code, afs_error_message(code))); + if (code) + scIndex = RX_SECIDX_NULL; + if ((scIndex == RX_SECIDX_NULL) && (sc == NULL)) sc = rxnull_NewClientSecurityObject(); if (scIndex == RX_SECIDX_NULL)