OpenAFS Master Repository branch, openafs-stable-1_8_x, updated. openafs-stable-1_8_5-20-g20cd3ab
Gerrit Code Review
gerrit@openafs.org
Sun, 26 Jan 2020 06:57:15 -0500
The following commit has been merged in the openafs-stable-1_8_x branch:
commit 20cd3ab424dd8b68d8870582c817c6b190480205
Author: Benjamin Kaduk <kaduk@mit.edu>
Date: Thu Jul 11 21:07:35 2019 -0700
aklog: require opt-in to enable single-DES in libkrb5
Since the introduction of rxkad-k5 in response to OPENAFS-SA-2013-003,
it is not strictly necessary to configure libkrb5 to allow weak crypto
in order to obtain an AFS token. A sufficient amount of time has passed
since then that it is safe to assume that the default behavior is the
more-secure one, and require opt-in for the insecure behavior.
To indicate that the use of single-DES is quite risky, add the
"-insecure_des" argument to both klog and aklog, to gate the
preexisting calls that enable weak crypto/single-DES.
These calls, and the -insecure_des option, may be removed entirely
in a future commit.
Reviewed-on: https://gerrit.openafs.org/13689
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: Benjamin Kaduk <kaduk@mit.edu>
(cherry picked from commit eaae6eba8ca10ba7a5a20ee0d1b5f91bc2bac6c6)
Change-Id: I197042e12567fa0fed1b6584e85c3f0a520efa4c
Reviewed-on: https://gerrit.openafs.org/13791
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
doc/man-pages/pod1/aklog.pod | 9 ++++++-
doc/man-pages/pod1/klog.krb5.pod | 10 +++++++-
src/aklog/aklog.c | 39 ++++++++++++++++++++++++-------------
src/aklog/klog.c | 13 ++++++++---
4 files changed, 49 insertions(+), 22 deletions(-)
--
OpenAFS Master Repository