auth/cephx: switch default cipher to AES256KRB5

Signed-off-by: Yehuda Sadeh <ysadehwe@ibm.com>

diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc
index 1e81175cfc1220099154dfcadd22c076046c895a..b986460df29afc2d623923048ef184e886af035c 100644 (file)
--- a/src/auth/cephx/CephxKeyServer.cc
+++ b/src/auth/cephx/CephxKeyServer.cc
@@ -274,14 +274,14 @@ std::list<KeyServer> KeyServer::generate_test_instances()
 bool KeyServer::generate_secret(CryptoKey& secret)
 {
   bufferptr bp;
-  auto crypto = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
+  auto crypto = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES256KRB5);
   if (!crypto)
     return false;
 
   if (crypto->create(cct->random(), bp) < 0)
     return false;
 
-  secret.set_secret(CEPH_CRYPTO_AES, bp, ceph_clock_now());
+  secret.set_secret(CEPH_CRYPTO_AES256KRB5, bp, ceph_clock_now());
 
   return true;
 }

diff --git a/src/ceph_osd.cc b/src/ceph_osd.cc
index da09b7bae5a7c273b7cabc46e4bc5e231918cd09..4e011a182f829a6b7e04a14ab20a5f9dfdd8bcc6 100644 (file)
--- a/src/ceph_osd.cc
+++ b/src/ceph_osd.cc
@@ -350,7 +350,7 @@ int main(int argc, const char **argv)
        keyring.get_auth(ename, eauth)) {
       derr << "already have key in keyring " << keyring_path << dendl;
     } else {
-      eauth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+      eauth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
       keyring.add(ename, eauth);
       bufferlist bl;
       keyring.encode_plaintext(bl);

diff --git a/src/crimson/osd/main.cc b/src/crimson/osd/main.cc
index 461a2652ecc7b7d3e73cba57e7c999db35aba499..a3391907a29691a0cc231760909309cf34f51d8b 100644 (file)
--- a/src/crimson/osd/main.cc
+++ b/src/crimson/osd/main.cc
@@ -58,7 +58,7 @@ seastar::future<> make_keyring()
       return seastar::now();
     } else {
       CephContext temp_cct{};
-      auth.key.create(&temp_cct, CEPH_CRYPTO_AES);
+      auth.key.create(&temp_cct, CEPH_CRYPTO_AES256KRB5);
       keyring.add(name, auth);
       bufferlist bl;
       keyring.encode_plaintext(bl);

diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc
index 77b1874429cd01c987791530fffc42f315875c21..0f8f229bff6e4fb04478a254f32eb453c0789c25 100644 (file)
--- a/src/mon/AuthMonitor.cc
+++ b/src/mon/AuthMonitor.cc
@@ -262,7 +262,7 @@ void _generate_bootstrap_keys(
     EntityName name;
     name.from_str("client." + p.first);
     EntityAuth auth;
-    auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+    auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
     auth.caps = p.second;
 
     auth_lst->push_back(make_pair(name, auth));
@@ -1514,7 +1514,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
     if (!has_keyring) {
       dout(10) << "AuthMonitor::prepare_command generating random key for "
         << auth_inc.name << dendl;
-      new_inc.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+      new_inc.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
     }
     new_inc.caps = encoded_caps;
 
@@ -1569,7 +1569,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
        auth_inc.op = KeyServerData::AUTH_INC_ADD;
        auth_inc.name = entity;
        auth_inc.auth = entity_auth;
-       auth_inc.auth.pending_key.create(g_ceph_context, CEPH_CRYPTO_AES);
+       auth_inc.auth.pending_key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
        push_cephx_inc(auth_inc);
        kr.add(entity, auth_inc.auth.key, auth_inc.auth.pending_key);
         push_cephx_inc(auth_inc);
@@ -1668,7 +1668,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
     KeyServerData::Incremental auth_inc;
     auth_inc.op = KeyServerData::AUTH_INC_ADD;
     auth_inc.name = entity;
-    auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+    auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
     auth_inc.auth.caps = wanted_caps;
 
     push_cephx_inc(auth_inc);
@@ -1841,7 +1841,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op)
       goto done;
     }
 
-    entity_auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+    entity_auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
 
     KeyServerData::Incremental auth_inc;
     auth_inc.op = KeyServerData::AUTH_INC_ADD;
@@ -2040,7 +2040,7 @@ int AuthMonitor::_update_or_create_entity(const EntityName& entity,
   auth_inc.op = KeyServerData::AUTH_INC_ADD;
   auth_inc.auth.caps = encoded_caps;
   if (create_entity) {
-    auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+    auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
   }
 
   push_cephx_inc(auth_inc);
@@ -2222,7 +2222,7 @@ bool AuthMonitor::_upgrade_format_to_luminous()
     EntityName name = bootstrap_mgr_name;
     EntityAuth auth;
     encode("allow profile bootstrap-mgr", auth.caps["mon"]);
-    auth.key.create(g_ceph_context, CEPH_CRYPTO_AES);
+    auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5);
     add_entity(name, auth);
     changed = true;
   }

diff --git a/src/tools/ceph_authtool.cc b/src/tools/ceph_authtool.cc
index b0c3a58cf8f678c0e5390ffcece9c9c8ab0bb940..5e3298a4295e8e18905b26391c9582d8f0685afe 100644 (file)
--- a/src/tools/ceph_authtool.cc
+++ b/src/tools/ceph_authtool.cc
@@ -67,7 +67,7 @@ int main(int argc, const char **argv)
   map<string,bufferlist> caps;
   std::string fn;
 
-  int key_type = CEPH_CRYPTO_AES;
+  int key_type = CEPH_CRYPTO_AES256KRB5;
 
   if (args.empty()) {
     cerr << argv[0] << ": -h or --help for usage" << std::endl;