Previous versions of svcgssd did not require the "-k" option when
running in Kerberos mode (the only mode available). If none of
the -k, -s, or -z options are given for enabling security flavours
then assume "-k" for compatibility reasons.
This will generate a warning before 3.1 is released, at which point
it will turn into an error.
Make the use of -s an error if SSK is not available.
Test-Parameters: trivial testlist=sanity-sec
Signed-off-by: Andreas Dilger <andreas.dilger@intel.com>
Change-Id: I9b7389bbca56d6717f02b21f57da52adc4602971
Reviewed-on: https://review.whamcloud.com/23925
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: Andrew Perepechko <andrew.perepechko@seagate.com>
Reviewed-by: Sebastien Buisson <sbuisson@ddn.com>
Reviewed-by: Jeremy Filizetti <jeremy.filizetti@gmail.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
#include "gss_util.h"
#include "err_util.h"
#include "lsupport.h"
#include "gss_util.h"
#include "err_util.h"
#include "lsupport.h"
int null_enabled;
int krb_enabled;
int null_enabled;
int krb_enabled;
fprintf(stderr, "-g - Service MGS\n");
fprintf(stderr, "-k - Enable kerberos support\n");
#ifdef HAVE_OPENSSL_SSK
fprintf(stderr, "-g - Service MGS\n");
fprintf(stderr, "-k - Enable kerberos support\n");
#ifdef HAVE_OPENSSL_SSK
- fprintf(stderr, "-s - Enable shared key support\n");
+ fprintf(stderr, "-s - Enable shared secret key support\n");
#endif
fprintf(stderr, "-z - Enable gssnull support\n");
#endif
fprintf(stderr, "-z - Enable gssnull support\n");
#ifdef HAVE_OPENSSL_SSK
sk_enabled = 1;
#else
#ifdef HAVE_OPENSSL_SSK
sk_enabled = 1;
#else
- printerr(0, "ERROR: Request for sk but service "
- "support not enabled\n");
+ fprintf(stderr, "error: request for SSK but service "
+ "support not enabled\n");
+ usage(stderr, argv[0]);
+ if (!sk_enabled && !krb_enabled && !null_enabled) {
+#if LUSTRE_VERSION_CODE < OBD_OCD_VERSION(3, 0, 53, 0)
+ fprintf(stderr, "warning: no -k, -s, or -z option given, "
+ "assume -k for backward compatibility\n");
+ krb_enabled = 1;
+#else
+ fprintf(stderr, "error: need one of -k, -s, or -z options\n");
+ usage(stderr, argv[0]);
+
+#endif
+ }
initerr(progname, verbosity, fg);
/* For kerberos use gss mechanisms but ignore for sk and null */
initerr(progname, verbosity, fg);
/* For kerberos use gss mechanisms but ignore for sk and null */