auth/cephx: switch default cipher to AES256KRB5

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>
(cherry picked from commit 2af51362afdd1da9f1195f3394716d09383a0c88)

diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc
index d88504c0ae6b39faae2f4e34e6da88739bec26e5..fab93ee554f82330b9e1170cf0a1e689cdf029c8 100644 (file)
--- a/src/auth/cephx/CephxKeyServer.cc
+++ b/src/auth/cephx/CephxKeyServer.cc
@@ -270,14 +270,14 @@ void KeyServer::generate_test_instances(std::list<KeyServer*>& ls)
 bool KeyServer::generate_secret(CryptoKey& secret)
 {
   bufferptr bp;
-  auto crypto = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
+  auto crypto = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES256KRB5);
   if (!crypto)
     return false;
 
   if (crypto->create(cct->random(), bp) < 0)
     return false;
 
-  secret.set_secret(CEPH_CRYPTO_AES, bp, ceph_clock_now());
+  secret.set_secret(CEPH_CRYPTO_AES256KRB5, bp, ceph_clock_now());
 
   return true;
 }

diff --git a/src/ceph_osd.cc b/src/ceph_osd.cc
index 52988843c8327c186dce932dc0703aa3d3d2d9a2..16d34277b231b62883d0bc034df100e5fffa6957 100644 (file)
--- a/src/ceph_osd.cc
+++ b/src/ceph_osd.cc
@@ -342,7 +342,7 @@ int main(int argc, const char **argv)
        keyring.get_auth(ename, eauth)) {
       derr << "already have key in keyring " << keyring_path << dendl;
     } else {
-      eauth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+      eauth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
       keyring.add(ename, eauth);
       bufferlist bl;
       keyring.encode_plaintext(bl);

diff --git a/src/crimson/osd/main.cc b/src/crimson/osd/main.cc
index 2173aa4bb8c80030b273d58f6ea4c8f84bfde470..52afcaa0f06a4c7753cb2319f20358ab5d15f175 100644 (file)
--- a/src/crimson/osd/main.cc
+++ b/src/crimson/osd/main.cc
@@ -58,7 +58,7 @@ seastar::future<> make_keyring()
       return seastar::now();
     } else {
       CephContext temp_cct{};
-      auth.key.create(&temp_cct, CEPH_CRYPTO_AES);
+      auth.key.create(&temp_cct, CEPH_CRYPTO_AES256KRB5);
       keyring.add(name, auth);
       bufferlist bl;
       keyring.encode_plaintext(bl);

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 0a60ab6d26dd3062003490b34fca6112759e4334..bbf32a7c83fd15cf49e623c6402b4ebc8055b3e9 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -261,7 +261,7 @@ void _generate_bootstrap_keys(
     EntityName name;
     name.from_str("client." + p.first);
     EntityAuth auth;
-    auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+    auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
     auth.caps = p.second;
 
     auth_lst->push_back(make_pair(name, auth));
@@ -1513,7 +1513,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
     if (!has_keyring) {
       dout(10) << "AuthMonitor::prepare_command generating random key for "
         << auth_inc.name << dendl;
-      new_inc.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+      new_inc.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
     }
     new_inc.caps = encoded_caps;
 
@@ -1568,7 +1568,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
        auth_inc.op = KeyServerData::AUTH_INC_ADD;
        auth_inc.name = entity;
        auth_inc.auth = entity_auth;
-       auth_inc.auth.pending_key.create(g_ceph_context, CEPH_CRYPTO_AES);
+       auth_inc.auth.pending_key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
        push_cephx_inc(auth_inc);
        kr.add(entity, auth_inc.auth.key, auth_inc.auth.pending_key);
         push_cephx_inc(auth_inc);
@@ -1667,7 +1667,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
     KeyServerData::Incremental auth_inc;
     auth_inc.op = KeyServerData::AUTH_INC_ADD;
     auth_inc.name = entity;
-    auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+    auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
     auth_inc.auth.caps = wanted_caps;
 
     push_cephx_inc(auth_inc);
@@ -1840,7 +1840,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
       goto done;
     }
 
-    entity_auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+    entity_auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
 
     KeyServerData::Incremental auth_inc;
     auth_inc.op = KeyServerData::AUTH_INC_ADD;
@@ -2039,7 +2039,7 @@ int AuthMonitor::_update_or_create_entity(const EntityName& entity,
   auth_inc.op = KeyServerData::AUTH_INC_ADD;
   auth_inc.auth.caps = encoded_caps;
   if (create_entity) {
-    auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+    auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
   }
 
   push_cephx_inc(auth_inc);
@@ -2221,7 +2221,7 @@ bool AuthMonitor::_upgrade_format_to_luminous()
     EntityName name = bootstrap_mgr_name;
     EntityAuth auth;
     encode("allow profile bootstrap-mgr", auth.caps["mon"]);
-    auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+    auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
     add_entity(name, auth);
     changed = true;
   }

diff --git a/src/tools/ceph_authtool.cc b/src/tools/ceph_authtool.cc
index 9671ba33eb3b6c12c7ef8ae823d6b6aaf077906c..0a9f1868d7e538729555f85f753cf98a693ab8f2 100644 (file)
--- a/src/tools/ceph_authtool.cc
+++ b/src/tools/ceph_authtool.cc
@@ -66,7 +66,7 @@ int main(int argc, const char **argv)
   map<string,bufferlist> caps;
   std::string fn;
 
-  int key_type = CEPH_CRYPTO_AES;
+  int key_type = CEPH_CRYPTO_AES256KRB5;
 
   if (args.empty()) {
     cerr << argv[0] << ": -h or --help for usage" << std::endl;