[OpenAFS] 'crypt' question
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 25 Oct 2006 18:20:31 -0400
On Wednesday, October 25, 2006 05:58:46 PM -0400 Robert Banz
<banz@umbc.edu> wrote:
> Is there a way (hacking the code is ok) to require, from the fileserver
> side, that authenticated clients encrypt content?
Almost, but not quite.
You can have the fileserver create its rxkad security objects with a
minimum protection level of rxkad_crypt. That will make it reject weaker
rxkad connections, but because of the way the protocol works, that doesn't
happen until the client has already sent the first packet (which could be
an RXAFS_StoreData containing some data, but that's fairly unlikely).
Also, there's little you can do to prevent unauthenticated connections.
Sure, you could configure the fileserver not to accept rxnull connections
at all, but I can't say how well things would work in that sort of
environment. It would be interesting, anyway.