From a6651bad8f1ff40ad6230f9b98dac9a633483a78 Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Wed, 24 Mar 2021 16:23:44 +0100 Subject: [PATCH] auth: require CEPHX_V2 by default It's been almost three years and support is present in all relevant clients. From the security perspective, roughly the same could be achieved with "ceph osd set-require-min-compat-client nautilus", but this is more user friendly as the client gets ENOTSUP instead of spinning on "feature set mismatch" faults. Signed-off-by: Ilya Dryomov (cherry picked from commit e5744672dbde2a897f5f4959339472b7b10c5688) --- PendingReleaseNotes | 9 +++++++++ src/common/options.cc | 6 +++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/PendingReleaseNotes b/PendingReleaseNotes index 7250cabda32e4..1963b699d743e 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -113,6 +113,15 @@ and scrubs). Other built-in profiles include "high_recovery_ops" and "balanced". These built-in profiles optimize the QoS provided to clients of mclock scheduler. +* Version 2 of the cephx authentication protocol (``CEPHX_V2`` feature bit) is + now required by default. It was introduced in 2018, adding replay attack + protection for authorizers and making msgr v1 message signatures stronger + (CVE-2018-1128 and CVE-2018-1129). Support is present in Jewel 10.2.11, + Luminous 12.2.6, Mimic 13.2.1, Nautilus 14.2.0 and later; upstream kernels + 4.9.150, 4.14.86, 4.19 and later; various distribution kernels, in particular + CentOS 7.6 and later. To enable older clients, set ``cephx_require_version`` + and ``cephx_service_require_version`` config options to 1. + >=15.0.0 -------- diff --git a/src/common/options.cc b/src/common/options.cc index a79fbcfeafe81..2c1490a03449c 100644 --- a/src/common/options.cc +++ b/src/common/options.cc @@ -2337,7 +2337,7 @@ std::vector