Enable weak crypto using secret API for openafs.

Modern Kerberos disallows DES crypto methods, but openafs for protocol
reasons is stuck using des for the time being. Rather than force all
afs realms to enable weak crypto, MIT added an undocumented API call
to allow openafs to skirt around the weak crypto restrictions. Since
we're implementing aklog for Apache, we have to be evil and use it too
in order to acquire tokens on a system where weak crypto is not
permitted.

diff --git a/mod_waklog.c b/mod_waklog.c
index 023028b..bf1becf 100644 (file)
--- a/mod_waklog.c
+++ b/mod_waklog.c
@@ -545,8 +545,12 @@ set_auth ( server_rec *s, request_rec *r, int self, char *principal, char *keyta
       log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: retrieved data from ccache for %s", k5user);
       
       increds.times.endtime = 0;
-      
+
+      /* Since we're fetching a key for AFS, we have to use single DES
+        and explicitely enable weak crypto using the secret API
+        call */
       increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
+      krb5_allow_weak_crypto (child.kcontext, 1);
       
       if ( ( kerror = krb5_get_credentials (child.kcontext, 0, clientccache, &increds, &v5credsp ) ) ) {
         /* only complain once we've tried both afs@REALM and afs/cell@REALM */