Enable weak enctypes for klog.krb5 if supported by Kerberos

The same as cb4b62a40352ccebae3a299f4327fa70fc7a0c5c, but for klog.krb5.

Current versions of both MIT Kerberos and Heimdal disable DES enctypes
by default, but DES enctypes are still required for AFS service tickets.
Probe for either krb5_allow_weak_crypto() (MIT Kerberos 1.8) or
krb5_enctype_enable() (Heimdal) and, if found, call them to enable DES
enctypes.  If neither is found, assume that the Kerberos libraries are
old enough that DES is enabled by default.

Change-Id: I99c93621c847f6edcc485207f5b6b99b2370b347
Reviewed-on: http://gerrit.openafs.org/1144
Tested-by: Russ Allbery <rra@stanford.edu>
Reviewed-by: Derrick Brashear <shadow@dementia.org>

diff --git a/src/aklog/klog.c b/src/aklog/klog.c
index 61fefde..0647c68 100644 (file)
--- a/src/aklog/klog.c
+++ b/src/aklog/klog.c
@@ -408,6 +408,19 @@ CommandProc(struct cmd_syndesc *as, void *arock)
        KLOGEXIT(1);
     }
 
+    /*
+     * Enable DES enctypes, which are currently still required for AFS.
+     * krb5_allow_weak_crypto is MIT Kerberos 1.8.  krb5_enctype_enable is
+     * Heimdal.
+     */
+#if defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
+    krb5_allow_weak_crypto(k5context, 1);
+#elif defined(HAVE_KRB5_ENCTYPE_ENABLE)
+    i = krb5_enctype_valid(k5context, ETYPE_DES_CBC_CRC);
+    if (i)
+        krb5_enctype_enable(k5context, ETYPE_DES_CBC_CRC);
+#endif
+
     /* Parse remaining arguments. */
 
     dosetpag = !! as->parms[aSETPAG].items;