From e5744672dbde2a897f5f4959339472b7b10c5688 Mon Sep 17 00:00:00 2001 From: Ilya Dryomov Date: Wed, 24 Mar 2021 16:23:44 +0100 Subject: [PATCH] auth: require CEPHX_V2 by default It's been almost three years and support is present in all relevant clients. From the security perspective, roughly the same could be achieved with "ceph osd set-require-min-compat-client nautilus", but this is more user friendly as the client gets ENOTSUP instead of spinning on "feature set mismatch" faults. Signed-off-by: Ilya Dryomov --- PendingReleaseNotes | 9 +++++++++ src/common/options.cc | 6 +++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/PendingReleaseNotes b/PendingReleaseNotes index f368efa742e..cd4c12bbe73 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -105,6 +105,15 @@ * Scubs are more aggressive in trying to find more simultaneous possible PGs within osd_max_scrubs limitation. It is possible that increasing osd_scrub_sleep may be necessary to maintain client responsiveness. +* Version 2 of the cephx authentication protocol (``CEPHX_V2`` feature bit) is + now required by default. It was introduced in 2018, adding replay attack + protection for authorizers and making msgr v1 message signatures stronger + (CVE-2018-1128 and CVE-2018-1129). Support is present in Jewel 10.2.11, + Luminous 12.2.6, Mimic 13.2.1, Nautilus 14.2.0 and later; upstream kernels + 4.9.150, 4.14.86, 4.19 and later; various distribution kernels, in particular + CentOS 7.6 and later. To enable older clients, set ``cephx_require_version`` + and ``cephx_service_require_version`` config options to 1. + >=15.0.0 -------- diff --git a/src/common/options.cc b/src/common/options.cc index 8003b4bdcb6..b9215b20de5 100644 --- a/src/common/options.cc +++ b/src/common/options.cc @@ -2333,7 +2333,7 @@ std::vector