On Wed, Mar 21, 2007 at 08:52:29AM -0400, Greg Troxel wrote:
> My understanding is that now rpc2 has the AES-bsed crypto, but still
> has the xor code.  I'd hope it defaults to aes, but presumably this is
> subject to a MITM degrading back to xor.  Is there an easy way to
> compile the server and remove the xor code so one can have confidence
> that only AES is accepted?  I realize this will break xor-only
> clients, but that's a feature.

On your server set the environment variable 'RPC2SEC_ONLY=1'.

> I'd also like to disable all non-authenticated filesystem operations.

Not sure if that is possible right now, it might have some unintended
side-effects if all forms of non-authenticated access was really
disabled, but you can at least remove the System:AnyUser acls which
pretty much should block out any unauthenticated access to your files.

The other part is that the callback connection (although encrypted) is
not authenticated and therefore the encryption key is predictable.

I have a change in CVS where the client makes sure that updated files
are never fetched over the callback connection. As a result all file
data will always move between the client and server over the
authenticated client->server connections. Still tweaking the performance
of the trickle-reintegration path a bit, since it was quite a bit slower.

With this change the only thing sent over the callback connection is,
callbacks. We have some ideas on how to make those optional as well but
that will weaken consistency a bit further.

Jan