DEVEL15-pts-encrypt-option-20090512
authorDerrick Brashear <shadow@dementia.org>
Tue, 12 May 2009 20:40:32 +0000 (20:40 +0000)
committerDerrick Brashear <shadow@dementia.org>
Tue, 12 May 2009 20:40:32 +0000 (20:40 +0000)
LICENSE IPL10
FIXES 124681

add -encrypt flag to pts generic options, allowing the wire to be
encrypted if desired and the user's authenticated. document same.

(cherry picked from commit 6ba44802ea6cf722c22a4784cbbad70ed6f5d60a)

doc/man-pages/pod1/pts.pod
src/ptserver/pts.c
src/ptserver/ptuser.c

index 913a9ff..a3da572 100644 (file)
@@ -129,6 +129,12 @@ privileged users to issue commands that change the Protection Database,
 and refuses to perform such an action even if the B<-noauth> flag is
 provided.
 
+=item B<-encrypt>
+
+Establishes an authenticated, encrypted connection to the Protection Server.
+It is useful when it is desired to obscure network traffic related to the
+transactions being done.
+
 =item B<-localauth>
 
 Constructs a server ticket using the server encryption key with the
index 3ca37f3..ed5845b 100644 (file)
@@ -184,6 +184,10 @@ GetGlobals(struct cmd_syndesc *as, void *arock)
        changed = 1;
        sec = 1;
     }
+    if (as->parms[22].items) { /* -encrypt */
+       changed = 1;
+       sec = 3;
+    }
     if (as->parms[18].items || as->parms[20].items) { /* -test, -localauth */
        changed = 1;
        confdir = AFSDIR_SERVER_ETC_DIRPATH;
@@ -1031,6 +1035,8 @@ add_std_args(struct cmd_syndesc *ts)
                "use local authentication");
     cmd_AddParm(ts, "-auth", CMD_FLAG, CMD_OPTIONAL,
                "use user's authentication (default)");
+    cmd_AddParm(ts, "-encrypt", CMD_FLAG, CMD_OPTIONAL,
+               "encrypt commands");
 }
 
 /*
index aa2dc12..83c47eb 100644 (file)
@@ -201,6 +201,8 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell)
        code = ktc_GetToken(&sname, &ttoken, sizeof(ttoken), NULL);
        if (code) {
            afs_com_err(whoami, code, "(getting token)");
+           if (secLevel > 1)
+               return code;
            scIndex = 0;
        } else {
            if (ttoken.kvno >= 0 && ttoken.kvno <= 256)
@@ -213,7 +215,8 @@ pr_Initialize(IN afs_int32 secLevel, IN const char *confDir, IN char *cell)
                scIndex = 2;
            }
            sc[2] =
-               rxkad_NewClientSecurityObject(rxkad_clear, &ttoken.sessionKey,
+               rxkad_NewClientSecurityObject((secLevel > 1) ? rxkad_crypt :
+                                             rxkad_clear, &ttoken.sessionKey,
                                              ttoken.kvno, ttoken.ticketLen,
                                              ttoken.ticket);
        }