From: Michael Meffie Date: Fri, 18 Oct 2019 17:43:36 +0000 (-0400) Subject: warn when starting without keys X-Git-Tag: openafs-devel-1_9_0~151 X-Git-Url: http://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=042f809ccfe12bafed73aa4eb4db2c86737e0b22;hp=a5f031d2fe50f068f5517ff8d64324c127b6420d warn when starting without keys The server processes will happily start without keys and then fail all authenticated access, including database synchronization and local commands with -localauth. At least issue warnings to let admins know the keys are missing and that akeyconvert or asetkey needs to be run. The situation is not helped by fact the filenames of the key files have changed between versions. In 1.6.x the (non-DES) keys were in the rxkad.keytab file and in later versions they are in the KeyFile* files, so if you are used to 1.6.x it is not obvious what is wrong. Change-Id: Iff7fe9a5a5a0f5ea1f4e227d3f6129658f8eb598 Reviewed-on: https://gerrit.openafs.org/13911 Reviewed-by: Andrew Deason Reviewed-by: Cheyenne Wills Reviewed-by: Benjamin Kaduk Tested-by: BuildBot --- diff --git a/src/auth/cellconfig.p.h b/src/auth/cellconfig.p.h index 9994543..c3811fd 100644 --- a/src/auth/cellconfig.p.h +++ b/src/auth/cellconfig.p.h @@ -180,6 +180,7 @@ extern void afsconf_typedKey_values(struct afsconf_typedKey *key, int *minorType, struct rx_opaque **keyMaterial); +extern int afsconf_CountKeys(struct afsconf_dir *); extern int afsconf_GetAllKeys(struct afsconf_dir *, struct afsconf_typedKeyList **); extern int afsconf_GetKeysByType(struct afsconf_dir *dir, diff --git a/src/auth/keys.c b/src/auth/keys.c index 59543e8..1c05493 100644 --- a/src/auth/keys.c +++ b/src/auth/keys.c @@ -937,6 +937,39 @@ out: } int +_afsconf_CountKeys(struct afsconf_dir *dir) +{ + int count = 0; + struct opr_queue *typeCursor; + struct keyTypeList *typeEntry; + struct opr_queue *kvnoCursor; + struct kvnoList *kvnoEntry; + struct opr_queue *subCursor; + + for (opr_queue_Scan(&dir->keyList, typeCursor)) { + typeEntry = opr_queue_Entry(typeCursor, struct keyTypeList, link); + for (opr_queue_Scan(&typeEntry->kvnoList, kvnoCursor)) { + kvnoEntry = opr_queue_Entry(kvnoCursor, struct kvnoList, link); + for (opr_queue_Scan(&kvnoEntry->subTypeList, subCursor)) + count++; + } + } + return count; +} + +int +afsconf_CountKeys(struct afsconf_dir *dir) +{ + int count = 0; + + LOCK_GLOBAL_MUTEX; + count = _afsconf_CountKeys(dir); + UNLOCK_GLOBAL_MUTEX; + + return count; +} + +int afsconf_GetAllKeys(struct afsconf_dir *dir, struct afsconf_typedKeyList **keys) { int code; @@ -955,16 +988,8 @@ afsconf_GetAllKeys(struct afsconf_dir *dir, struct afsconf_typedKeyList **keys) if (code) goto out; - count = 0; /* First, work out how many keys we have in total */ - for (opr_queue_Scan(&dir->keyList, typeCursor)) { - typeEntry = opr_queue_Entry(typeCursor, struct keyTypeList, link); - for (opr_queue_Scan(&typeEntry->kvnoList, kvnoCursor)) { - kvnoEntry = opr_queue_Entry(kvnoCursor, struct kvnoList, link); - for (opr_queue_Scan(&kvnoEntry->subTypeList, subCursor)) - count++; - } - } + count = _afsconf_CountKeys(dir); /* Allocate space for all of these */ retval = malloc(sizeof(struct afsconf_typedKeyList)); diff --git a/src/auth/liboafs_auth.la.sym b/src/auth/liboafs_auth.la.sym index 7f5530b..561ddfa 100644 --- a/src/auth/liboafs_auth.la.sym +++ b/src/auth/liboafs_auth.la.sym @@ -11,6 +11,7 @@ afsconf_ClientAuthRXGKCrypt afsconf_ClientAuthSecure afsconf_ClientAuthToken afsconf_Close +afsconf_CountKeys afsconf_DeleteKey afsconf_GetAfsdbInfo afsconf_GetAllKeys diff --git a/src/bozo/bosserver.c b/src/bozo/bosserver.c index 3a7a6a0..5346df0 100644 --- a/src/bozo/bosserver.c +++ b/src/bozo/bosserver.c @@ -1116,6 +1116,12 @@ main(int argc, char **argv, char **envp) /* opened the cell databse */ bozo_confdir = tdir; + if (afsconf_CountKeys(bozo_confdir) == 0) { + bozo_Log("WARNING: No encryption keys found! " + "All authenticated accesses will fail. " + "Run akeyconvert or asetkey to import encryption keys.\n"); + } + code = bnode_Init(); if (code) { printf("bosserver: could not init bnode package, code %d\n", code); diff --git a/src/budb/server.c b/src/budb/server.c index 08d7a4f..f35f47f 100644 --- a/src/budb/server.c +++ b/src/budb/server.c @@ -468,6 +468,12 @@ main(int argc, char **argv) ERROR(BUDB_NOCELLS); } + if (afsconf_CountKeys(BU_conf) == 0) { + LogError(0, "WARNING: No encryption keys found! " + "All authenticated accesses will fail. " + "Run akeyconvert or asetkey to import encryption keys.\n"); + } + code = afsconf_GetLocalCell(BU_conf, lcell, sizeof(lcell)); if (code) { LogError(0, "** Can't determine local cell name!\n"); diff --git a/src/butc/tcmain.c b/src/butc/tcmain.c index b7f1a91..344d93e 100644 --- a/src/butc/tcmain.c +++ b/src/butc/tcmain.c @@ -997,6 +997,12 @@ WorkerBee(struct cmd_syndesc *as, void *arock) exit(1); } + if (afsconf_CountKeys(butc_confdir) == 0) { + TLog(0, "WARNING: No encryption keys found! " + "All authenticated accesses will fail. " + "Run akeyconvert or asetkey to import encryption keys.\n"); + } + /* Start auditing */ osi_audit_init(); if (as->parms[9].items) { diff --git a/src/libafsauthent/afsauthent.def b/src/libafsauthent/afsauthent.def index 8927ef8..10c71cb 100644 --- a/src/libafsauthent/afsauthent.def +++ b/src/libafsauthent/afsauthent.def @@ -209,3 +209,4 @@ EXPORTS xdr_idlist @208 xdr_namelist @209 xdr_prlist @210 + afsconf_CountKeys @211 diff --git a/src/ptserver/ptserver.c b/src/ptserver/ptserver.c index a49e93c..c718ece 100644 --- a/src/ptserver/ptserver.c +++ b/src/ptserver/ptserver.c @@ -642,7 +642,11 @@ main(int argc, char **argv) "1.0", #endif "Starting AFS", FSLog); - if (afsconf_GetLatestKey(prdir, NULL, NULL) == 0) { + if (afsconf_CountKeys(prdir) == 0) { + ViceLog(0, ("WARNING: No encryption keys found! " + "All authenticated accesses will fail. " + "Run akeyconvert or asetkey to import encryption keys.\n")); + } else if (afsconf_GetLatestKey(prdir, NULL, NULL) == 0) { LogDesWarning(); } diff --git a/src/update/server.c b/src/update/server.c index c3e722d..7a5e33b 100644 --- a/src/update/server.c +++ b/src/update/server.c @@ -290,6 +290,12 @@ main(int argc, char *argv[]) exit(1); } + if (afsconf_CountKeys(cdir) == 0) { + fprintf(stderr, "WARNING: No encryption keys found! " + "All authenticated accesses will fail." + "Run akeyconvert or asetkey to import encryption keys.\n"); + } + if (rxBind) { afs_int32 ccode; if (AFSDIR_SERVER_NETRESTRICT_FILEPATH || diff --git a/src/viced/viced.c b/src/viced/viced.c index c11070a..6d29129 100644 --- a/src/viced/viced.c +++ b/src/viced/viced.c @@ -1900,7 +1900,12 @@ main(int argc, char *argv[]) OpenLog(&logopts); LogCommandLine(argc, argv, "starting", "", "File server", FSLog); - if (afsconf_GetLatestKey(confDir, NULL, NULL) == 0) { + + if (afsconf_CountKeys(confDir) == 0) { + ViceLog(0, ("WARNING: No encryption keys found! " + "All authenticated accesses will fail. " + "Run akeyconvert or asetkey to import encryption keys.\n")); + } else if (afsconf_GetLatestKey(confDir, NULL, NULL) == 0) { LogDesWarning(); } diff --git a/src/vlserver/vlserver.c b/src/vlserver/vlserver.c index 47d899b..36e02a8 100644 --- a/src/vlserver/vlserver.c +++ b/src/vlserver/vlserver.c @@ -567,7 +567,11 @@ main(int argc, char **argv) rx_SetMaxProcs(tservice, 4); LogCommandLine(argc, argv, "vlserver", VldbVersion, "Starting AFS", FSLog); - if (afsconf_GetLatestKey(tdir, NULL, NULL) == 0) { + if (afsconf_CountKeys(tdir) == 0) { + VLog(0, ("WARNING: No encryption keys found! " + "All authenticated accesses will fail." + "Run akeyconvert or asetkey to import encryption keys.\n")); + } else if (afsconf_GetLatestKey(tdir, NULL, NULL) == 0) { LogDesWarning(); } VLog(0, ("%s\n", cml_version_number)); diff --git a/src/volser/volmain.c b/src/volser/volmain.c index 2dfed9a..a56f657 100644 --- a/src/volser/volmain.c +++ b/src/volser/volmain.c @@ -638,7 +638,11 @@ main(int argc, char **argv) LogCommandLine(argc, argv, "Volserver", VolserVersion, "Starting AFS", Log); - if (afsconf_GetLatestKey(tdir, NULL, NULL) == 0) { + if (afsconf_CountKeys(tdir) == 0) { + Log("WARNING: No encryption keys found! " + "All authenticated accesses will fail. " + "Run akeyconvert or asetkey to import encryption keys.\n"); + } else if (afsconf_GetLatestKey(tdir, NULL, NULL) == 0) { LogDesWarning(); }