C<anyuser> option doesn't restrict the RPCs and leaves it open for all
users including unauthenticated users, this is the default.
+=item B<-s2scrypt> (never | always | inherit)
+
+Set the cryptographic disposition of inter-volserver traffic.
+
+=over 4
+
+=item B<never>
+
+All inter-volserver traffic is unencrypted. This is the default behavior.
+
+=item B<always>
+
+All inter-volserver traffic is encrypted (using rxkad).
+
+=item B<inherit>
+
+Inter-volserver traffic will be encrypted if the client connection triggering
+the server-to-server traffic is encrypted. This has the effect of encrypting
+inter-server traffic if the "-encrypt" option is provided to
+L<B<vos release>|vos_release(1)>, for example.
+
+=back
+
=item B<-help>
Prints the online help for this command. All other valid options are
[B<-transarc-logs>]
[B<-sleep> <I<sleep time>/I<run time>>]
[B<-restricted_query> (anyuser | admin)]
+ [B<-s2scrypt> (never | always | inherit)]
[B<-help>]
static struct logOptions logopts;
char *configDir = NULL;
+enum vol_s2s_crypt doCrypt = VS2SC_NEVER;
+
#define ADDRSPERSITE 16 /* Same global is in rx/rx_user.c */
afs_uint32 SHostAddrs[ADDRSPERSITE];
OPT_logfile,
OPT_config,
OPT_restricted_query,
- OPT_transarc_logs
+ OPT_transarc_logs,
+ OPT_s2s_crypt
};
static int
char *sleepSpec = NULL;
char *sync_behavior = NULL;
char *restricted_query_parameter = NULL;
+ char *s2s_crypt_behavior = NULL;
opts = cmd_CreateSyntax(NULL, NULL, NULL, 0, NULL);
cmd_AddParmAtOffset(opts, OPT_log, "-log", CMD_FLAG, CMD_OPTIONAL,
CMD_OPTIONAL, "configuration location");
cmd_AddParmAtOffset(opts, OPT_restricted_query, "-restricted_query",
CMD_SINGLE, CMD_OPTIONAL, "anyuser | admin");
+ cmd_AddParmAtOffset(opts, OPT_s2s_crypt, "-s2scrypt",
+ CMD_SINGLE, CMD_OPTIONAL, "always | inherit | never");
code = cmd_Parse(argc, argv, &opts);
if (code == CMD_HELP) {
}
free(restricted_query_parameter);
}
+ if (cmd_OptionAsString(opts, OPT_s2s_crypt, &s2s_crypt_behavior) == 0) {
+ if (strcmp(s2s_crypt_behavior, "always") == 0)
+ doCrypt = VS2SC_ALWAYS;
+ else if (strcmp(s2s_crypt_behavior, "never") == 0)
+ doCrypt = VS2SC_NEVER;
+ else if (strcmp(s2s_crypt_behavior, "inherit") == 0)
+ doCrypt = VS2SC_INHERIT;
+ else {
+ printf("invalid argument for -s2scrypt: %s\n", s2s_crypt_behavior);
+ return -1;
+ }
+ free(s2s_crypt_behavior);
+ }
return 0;
}
extern struct afsconf_dir *tdir;
extern int DoPreserveVolumeStats;
extern int restrictedQueryLevel;
+extern enum vol_s2s_crypt doCrypt;
extern void LogError(afs_int32 errcode);
return code;
}
+static_inline afs_int32
+MakeClient(struct rx_call *acid, struct rx_securityClass **securityObject,
+ afs_int32 *securityIndex)
+{
+ rxkad_level enc_level = rxkad_clear;
+ int docrypt;
+ int code;
+
+ switch (doCrypt) {
+ case VS2SC_ALWAYS:
+ docrypt = 1;
+ break;
+ case VS2SC_INHERIT:
+ rxkad_GetServerInfo(rx_ConnectionOf(acid), &enc_level, 0, 0, 0, 0, 0);
+ docrypt = (enc_level == rxkad_crypt ? 1 : 0);
+ break;
+ case VS2SC_NEVER:
+ docrypt = 0;
+ break;
+ default:
+ opr_Assert(0 && "doCrypt corrupt?");
+ }
+ if (docrypt)
+ code = afsconf_ClientAuthSecure(tdir, securityObject, securityIndex);
+ else
+ code = afsconf_ClientAuth(tdir, securityObject, securityIndex);
+ return code;
+}
+
static afs_int32
VolForward(struct rx_call *acid, afs_int32 fromTrans, afs_int32 fromDate,
struct destServer *destination, afs_int32 destTrans,
TSetRxCall(tt, NULL, "Forward");
/* get auth info for the this connection (uses afs from ticket file) */
- code = afsconf_ClientAuth(tdir, &securityObject, &securityIndex);
+ code = MakeClient(acid, &securityObject, &securityIndex);
if (code) {
TRELE(tt);
return code;
}
/* get auth info for this connection (uses afs from ticket file) */
- code = afsconf_ClientAuth(tdir, &securityObject, &securityIndex);
+ code = MakeClient(acid, &securityObject, &securityIndex);
if (code) {
goto fail; /* in order to audit each failure */
}
int (*secproc)(struct rx_securityClass *,
afs_int32),
struct ubik_client **uclientp);
+enum vol_s2s_crypt {
+ VS2SC_NEVER = 0,
+ VS2SC_INHERIT,
+ VS2SC_ALWAYS
+};
+
#endif /* _VOLSER_ */