On Oct 25, 2006, at 6:20 PM, Jeffrey Hutzelman wrote:
On Wednesday, October 25, 2006 05:58:46 PM -0400 Robert Banz
<[EMAIL PROTECTED]> wrote:
Is there a way (hacking the code is ok) to require, from the
fileserver
side, that authenticated clients encrypt content?
Almost, but not quite.
You can have the fileserver create its rxkad security objects with
a minimum protection level of rxkad_crypt. That will make it
reject weaker rxkad connections, but because of the way the
protocol works, that doesn't happen until the client has already
sent the first packet (which could be an RXAFS_StoreData containing
some data, but that's fairly unlikely).
Also, there's little you can do to prevent unauthenticated
connections. Sure, you could configure the fileserver not to accept
rxnull connections at all, but I can't say how well things would
work in that sort of environment. It would be interesting, anyway.
Unauthenticated connections really aren't a problem in this scenario
-- I'm only really worried about data that is stored in places where
authentication is required.
But what you're saying, in theory, is that unless a client has
setcrypt on, their first request could be 'in the clear', but the
fileserver will insist that all other requests and responses would be
encrypted... That's something I could possibly live with.
-rob
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info