pts-encrypt-option-20090512

LICENSE IPL10
FIXES 124681

add -encrypt flag to pts generic options, allowing the wire to be
encrypted if desired and the user's authenticated. document same.

doc/man-pages/pod1/pts.pod

@@ -129,6 +129,12 @@ privileged users to issue commands that change the Protection Database,
 and refuses to perform such an action even if the B<-noauth> flag is
 provided.
 
+=item B<-encrypt>
+
+Establishes an authenticated, encrypted connection to the Protection Server.
+It is useful when it is desired to obscure network traffic related to the
+transactions being done.
+
 =item B<-localauth>
 
 Constructs a server ticket using the server encryption key with the

src/ptserver/pts.c

@@ -184,6 +184,10 @@ GetGlobals(struct cmd_syndesc *as, void *arock)
 	changed = 1;
 	sec = 1;
     }
+    if (as->parms[22].items) { /* -encrypt */
+	changed = 1;
+	sec = 3;
+    }
     if (as->parms[18].items || as->parms[20].items) { /* -test, -localauth */
 	changed = 1;
 	confdir = AFSDIR_SERVER_ETC_DIRPATH;
@@ -1031,6 +1035,8 @@ add_std_args(struct cmd_syndesc *ts)
 		"use local authentication");
     cmd_AddParm(ts, "-auth", CMD_FLAG, CMD_OPTIONAL,
 		"use user's authentication (default)");
+    cmd_AddParm(ts, "-encrypt", CMD_FLAG, CMD_OPTIONAL,
+		"encrypt commands");
 }
 
 /*

src/ptserver/ptuser.c

@@ -201,6 +201,8 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell)
 	code = ktc_GetToken(&sname, &ttoken, sizeof(ttoken), NULL);
 	if (code) {
 	    afs_com_err(whoami, code, "(getting token)");
+	    if (secLevel > 1)
+		return code;
 	    scIndex = 0;
 	} else {
 	    if (ttoken.kvno >= 0 && ttoken.kvno <= 256)
@@ -213,7 +215,8 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell)
 		scIndex = 2;
 	    }
 	    sc[2] =
-		rxkad_NewClientSecurityObject(rxkad_clear, &ttoken.sessionKey,
+		rxkad_NewClientSecurityObject((secLevel > 1) ? rxkad_crypt :
+					      rxkad_clear, &ttoken.sessionKey,
 					      ttoken.kvno, ttoken.ticketLen,
 					      ttoken.ticket);
 	}