From 5eae788fe0602948a297ffab9b41da2aaa27f14c Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Thu, 27 Feb 2025 17:09:26 -0500 Subject: [PATCH] auth/cephx: switch default cipher to AES256KRB5 Signed-off-by: Yehuda Sadeh (cherry picked from commit 2af51362afdd1da9f1195f3394716d09383a0c88) --- src/auth/cephx/CephxKeyServer.cc | 4 ++-- src/ceph_osd.cc | 2 +- src/crimson/osd/main.cc | 2 +- src/mon/AuthMonitor.cc | 14 +++++++------- src/tools/ceph_authtool.cc | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/auth/cephx/CephxKeyServer.cc b/src/auth/cephx/CephxKeyServer.cc index d88504c0ae6..fab93ee554f 100644 --- a/src/auth/cephx/CephxKeyServer.cc +++ b/src/auth/cephx/CephxKeyServer.cc @@ -270,14 +270,14 @@ void KeyServer::generate_test_instances(std::list& ls) bool KeyServer::generate_secret(CryptoKey& secret) { bufferptr bp; - auto crypto = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES); + auto crypto = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES256KRB5); if (!crypto) return false; if (crypto->create(cct->random(), bp) < 0) return false; - secret.set_secret(CEPH_CRYPTO_AES, bp, ceph_clock_now()); + secret.set_secret(CEPH_CRYPTO_AES256KRB5, bp, ceph_clock_now()); return true; } diff --git a/src/ceph_osd.cc b/src/ceph_osd.cc index 52988843c83..16d34277b23 100644 --- a/src/ceph_osd.cc +++ b/src/ceph_osd.cc @@ -342,7 +342,7 @@ int main(int argc, const char **argv) keyring.get_auth(ename, eauth)) { derr << "already have key in keyring " << keyring_path << dendl; } else { - eauth.key.create(g_ceph_context, CEPH_CRYPTO_AES); + eauth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); keyring.add(ename, eauth); bufferlist bl; keyring.encode_plaintext(bl); diff --git a/src/crimson/osd/main.cc b/src/crimson/osd/main.cc index 2173aa4bb8c..52afcaa0f06 100644 --- a/src/crimson/osd/main.cc +++ b/src/crimson/osd/main.cc @@ -58,7 +58,7 @@ seastar::future<> make_keyring() return seastar::now(); } else { CephContext temp_cct{}; - auth.key.create(&temp_cct, CEPH_CRYPTO_AES); + auth.key.create(&temp_cct, CEPH_CRYPTO_AES256KRB5); keyring.add(name, auth); bufferlist bl; keyring.encode_plaintext(bl); diff --git a/src/mon/AuthMonitor.cc b/src/mon/AuthMonitor.cc index 0a60ab6d26d..bbf32a7c83f 100644 --- a/src/mon/AuthMonitor.cc +++ b/src/mon/AuthMonitor.cc @@ -261,7 +261,7 @@ void _generate_bootstrap_keys( EntityName name; name.from_str("client." + p.first); EntityAuth auth; - auth.key.create(g_ceph_context, CEPH_CRYPTO_AES); + auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); auth.caps = p.second; auth_lst->push_back(make_pair(name, auth)); @@ -1513,7 +1513,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) if (!has_keyring) { dout(10) << "AuthMonitor::prepare_command generating random key for " << auth_inc.name << dendl; - new_inc.key.create(g_ceph_context, CEPH_CRYPTO_AES); + new_inc.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); } new_inc.caps = encoded_caps; @@ -1568,7 +1568,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) auth_inc.op = KeyServerData::AUTH_INC_ADD; auth_inc.name = entity; auth_inc.auth = entity_auth; - auth_inc.auth.pending_key.create(g_ceph_context, CEPH_CRYPTO_AES); + auth_inc.auth.pending_key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); push_cephx_inc(auth_inc); kr.add(entity, auth_inc.auth.key, auth_inc.auth.pending_key); push_cephx_inc(auth_inc); @@ -1667,7 +1667,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) KeyServerData::Incremental auth_inc; auth_inc.op = KeyServerData::AUTH_INC_ADD; auth_inc.name = entity; - auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES); + auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); auth_inc.auth.caps = wanted_caps; push_cephx_inc(auth_inc); @@ -1840,7 +1840,7 @@ bool AuthMonitor::prepare_command(MonOpRequestRef op) goto done; } - entity_auth.key.create(g_ceph_context, CEPH_CRYPTO_AES); + entity_auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); KeyServerData::Incremental auth_inc; auth_inc.op = KeyServerData::AUTH_INC_ADD; @@ -2039,7 +2039,7 @@ int AuthMonitor::_update_or_create_entity(const EntityName& entity, auth_inc.op = KeyServerData::AUTH_INC_ADD; auth_inc.auth.caps = encoded_caps; if (create_entity) { - auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES); + auth_inc.auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); } push_cephx_inc(auth_inc); @@ -2221,7 +2221,7 @@ bool AuthMonitor::_upgrade_format_to_luminous() EntityName name = bootstrap_mgr_name; EntityAuth auth; encode("allow profile bootstrap-mgr", auth.caps["mon"]); - auth.key.create(g_ceph_context, CEPH_CRYPTO_AES); + auth.key.create(g_ceph_context, CEPH_CRYPTO_AES256KRB5); add_entity(name, auth); changed = true; } diff --git a/src/tools/ceph_authtool.cc b/src/tools/ceph_authtool.cc index 9671ba33eb3..0a9f1868d7e 100644 --- a/src/tools/ceph_authtool.cc +++ b/src/tools/ceph_authtool.cc @@ -66,7 +66,7 @@ int main(int argc, const char **argv) map caps; std::string fn; - int key_type = CEPH_CRYPTO_AES; + int key_type = CEPH_CRYPTO_AES256KRB5; if (args.empty()) { cerr << argv[0] << ": -h or --help for usage" << std::endl; -- 2.39.5