From 6ba44802ea6cf722c22a4784cbbad70ed6f5d60a Mon Sep 17 00:00:00 2001 From: Derrick Brashear Date: Tue, 12 May 2009 20:40:20 +0000 Subject: [PATCH] pts-encrypt-option-20090512 LICENSE IPL10 FIXES 124681 add -encrypt flag to pts generic options, allowing the wire to be encrypted if desired and the user's authenticated. document same. --- doc/man-pages/pod1/pts.pod | 6 ++++++ src/ptserver/pts.c | 6 ++++++ src/ptserver/ptuser.c | 5 ++++- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/doc/man-pages/pod1/pts.pod b/doc/man-pages/pod1/pts.pod index 913a9ff18f..a3da572703 100644 --- a/doc/man-pages/pod1/pts.pod +++ b/doc/man-pages/pod1/pts.pod @@ -129,6 +129,12 @@ privileged users to issue commands that change the Protection Database, and refuses to perform such an action even if the B<-noauth> flag is provided. +=item B<-encrypt> + +Establishes an authenticated, encrypted connection to the Protection Server. +It is useful when it is desired to obscure network traffic related to the +transactions being done. + =item B<-localauth> Constructs a server ticket using the server encryption key with the diff --git a/src/ptserver/pts.c b/src/ptserver/pts.c index 3ca37f3ad1..ed5845b69b 100644 --- a/src/ptserver/pts.c +++ b/src/ptserver/pts.c @@ -184,6 +184,10 @@ GetGlobals(struct cmd_syndesc *as, void *arock) changed = 1; sec = 1; } + if (as->parms[22].items) { /* -encrypt */ + changed = 1; + sec = 3; + } if (as->parms[18].items || as->parms[20].items) { /* -test, -localauth */ changed = 1; confdir = AFSDIR_SERVER_ETC_DIRPATH; @@ -1031,6 +1035,8 @@ add_std_args(struct cmd_syndesc *ts) "use local authentication"); cmd_AddParm(ts, "-auth", CMD_FLAG, CMD_OPTIONAL, "use user's authentication (default)"); + cmd_AddParm(ts, "-encrypt", CMD_FLAG, CMD_OPTIONAL, + "encrypt commands"); } /* diff --git a/src/ptserver/ptuser.c b/src/ptserver/ptuser.c index aa2dc12ca2..83c47eb2c0 100644 --- a/src/ptserver/ptuser.c +++ b/src/ptserver/ptuser.c @@ -201,6 +201,8 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell) code = ktc_GetToken(&sname, &ttoken, sizeof(ttoken), NULL); if (code) { afs_com_err(whoami, code, "(getting token)"); + if (secLevel > 1) + return code; scIndex = 0; } else { if (ttoken.kvno >= 0 && ttoken.kvno <= 256) @@ -213,7 +215,8 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell) scIndex = 2; } sc[2] = - rxkad_NewClientSecurityObject(rxkad_clear, &ttoken.sessionKey, + rxkad_NewClientSecurityObject((secLevel > 1) ? rxkad_crypt : + rxkad_clear, &ttoken.sessionKey, ttoken.kvno, ttoken.ticketLen, ttoken.ticket); }