[OpenAFS] 'crypt' question

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 25 Oct 2006 18:20:31 -0400

On Wednesday, October 25, 2006 05:58:46 PM -0400 Robert Banz 
<banz@umbc.edu> wrote:

> Is there a way (hacking the code is ok) to require, from the  fileserver
> side, that authenticated clients encrypt content?

Almost, but not quite.

You can have the fileserver create its rxkad security objects with a 
minimum protection level of rxkad_crypt.  That will make it reject weaker 
rxkad connections, but because of the way the protocol works, that doesn't 
happen until the client has already sent the first packet (which could be 
an RXAFS_StoreData containing some data, but that's fairly unlikely).

Also, there's little you can do to prevent unauthenticated connections. 
Sure, you could configure the fileserver not to accept rxnull connections 
at all, but I can't say how well things would work in that sort of 
environment.  It would be interesting, anyway.