From cb4b62a40352ccebae3a299f4327fa70fc7a0c5c Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 21 Jan 2010 15:41:49 -0800 Subject: [PATCH] Enable weak enctypes for aklog if supported by Kerberos Current versions of both MIT Kerberos and Heimdal disable DES enctypes by default, but DES enctypes are still required for AFS service tickets. Probe for either krb5_allow_weak_crypto() (MIT Kerberos 1.8) or krb5_enctype_enable() (Heimdal) and, if found, call them to enable DES enctypes. If neither is found, assume that the Kerberos libraries are old enough that DES is enabled by default. Change-Id: Ib5231bb7c2fe88f4c424628394ed08122d5710a1 Reviewed-on: http://gerrit.openafs.org/1141 Reviewed-by: Derrick Brashear Tested-by: Derrick Brashear --- src/aklog/aklog.c | 13 +++++++++++++ src/cf/kerberos.m4 | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/aklog/aklog.c b/src/aklog/aklog.c index 1d8a380a3..0a1f915a1 100644 --- a/src/aklog/aklog.c +++ b/src/aklog/aklog.c @@ -1291,6 +1291,19 @@ int main(int argc, char *argv[]) initialize_ktc_error_table (); afs_set_com_err_hook(redirect_errors); + /* + * Enable DES enctypes, which are currently still required for AFS. + * krb5_allow_weak_crypto is MIT Kerberos 1.8. krb5_enctype_enable is + * Heimdal. + */ +#if defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO) + krb5_allow_weak_crypto(context, 1); +#elif defined(HAVE_KRB5_ENCTYPE_ENABLE) + i = krb5_enctype_valid(context, ETYPE_DES_CBC_CRC); + if (i) + krb5_enctype_enable(context, ETYPE_DES_CBC_CRC); +#endif + /* Initialize list of cells to which we have authenticated */ (void)ll_init(&authedcells); diff --git a/src/cf/kerberos.m4 b/src/cf/kerberos.m4 index bc7140dac..caaaf44c2 100644 --- a/src/cf/kerberos.m4 +++ b/src/cf/kerberos.m4 @@ -65,7 +65,7 @@ if test X$conf_krb5 = XYES; then CPPFLAGS="$CPPFLAGS $KRB5CFLAGS" save_LIBS="$LIBS" LIBS="$LIBS $KRB5LIBS" - AC_CHECK_FUNCS([add_to_error_table add_error_table krb5_princ_size krb5_principal_get_comp_string encode_krb5_enc_tkt_part encode_krb5_ticket krb5_c_encrypt krb5_decode_ticket krb5_get_prompt_types]) + AC_CHECK_FUNCS([add_to_error_table add_error_table krb5_princ_size krb5_principal_get_comp_string encode_krb5_enc_tkt_part encode_krb5_ticket krb5_c_encrypt krb5_decode_ticket krb5_get_prompt_types krb5_allow_weak_crypto krb5_enctype_enable]) AC_CHECK_FUNCS([krb5_524_convert_creds], , [AC_CHECK_FUNCS([krb524_convert_creds_kdc], , [AC_CHECK_LIB([krb524], [krb524_convert_creds_kdc], -- 2.39.5