From: franklahm <franklahm>
Date: Thu, 30 Apr 2009 10:48:37 +0000 (+0000)
Subject: Consistently set default UAMs to DHX,DHX2. From HAT. Merge from 2-0
X-Git-Tag: before-ipv6~184
X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?p=netatalk.git;a=commitdiff_plain;h=f483d27d5249bd052cb7e34f92fd3a94735c343c

Consistently set default UAMs to DHX,DHX2. From HAT. Merge from 2-0
---

diff --git a/config/afpd.conf.tmpl b/config/afpd.conf.tmpl
index 11c127c1..09177a11 100644
--- a/config/afpd.conf.tmpl
+++ b/config/afpd.conf.tmpl
@@ -57,7 +57,7 @@
 #     -uampath <path>  Use this path to look for User Authentication Modules.
 #		       (default: :UAMS_PATH:)
 #     -uamlist <a,b,c> Comma-separated list of UAMs. (default:
-#		       uams_guest.so,uams_clrtxt.so,uams_dhx.so) 
+#		       uams_dhx.so,uams_dhx2.so) 
 #
 #		       some commonly available UAMs:
 #                      uams_guest.so: Allow guest logins
@@ -74,6 +74,10 @@
 #		                    Allow Diffie-Hellman eXchange
 #				    (DHX) for authentication.
 #
+#		       uams_dhx2.so: (uams_dhx2_pam.so or uams_dhx2_passwd.so)
+#		                     Allow Diffie-Hellman eXchange 2
+#				     (DHX2) for authentication.
+#
 #   Password Options:
 #     -[no]savepassword   [Don't] Allow clients to save password locally
 #     -passwdfile <path>  Use this path to store Randnum
@@ -221,4 +225,4 @@
 #		"special" -notcp -defaultvol <path> -systemvol <path>
 #
 # default:
-# - -transall -uamlist uams_clrtxt.so,uams_dhx.so -nosavepassword
+# - -transall -uamlist uams_dhx.so,uams_dhx2.so -nosavepassword
diff --git a/config/netatalk.conf b/config/netatalk.conf
index 5c24d16e..458fe1a3 100644
--- a/config/netatalk.conf
+++ b/config/netatalk.conf
@@ -15,7 +15,7 @@ ATALK_UNIX_CHARSET='LOCALE'
 # specify the UAMs to enable
 # available options: uams_guest.so, uams_clrtxt.so, uams_randnum.so, 
 # 		             uams_dhx.so, uams_dhx2.so
-AFPD_UAMLIST="-U uams_guest.so,uams_dhx2.so"
+# AFPD_UAMLIST="-U uams_dhx.so,uams_dhx2.so"
 
 # Change this to set the id of the guest user
 AFPD_GUEST=nobody
diff --git a/config/netatalk.conf.cobalt b/config/netatalk.conf.cobalt
index cf5ab6ac..3be97d4e 100644
--- a/config/netatalk.conf.cobalt
+++ b/config/netatalk.conf.cobalt
@@ -6,10 +6,11 @@ AFPD_MAX_CLIENTS=100
 #ATALK_ZONE=@zone
 ATALK_NAME=`hostname|sed 's/\..*$//'`
 
-# specify this if you don't want guest, clrtxt, and dhx
-# available options: uams_guest.so, uams_clrtxt.so, uams_dhx.so, 
+# specify this if you don't want dhx and dhx2
+# available options: uams_guest.so, uams_clrtxt.so, 
+#                    uams_dhx.so, uams_dhx2.so, 
 # 		     uams_randnum.so
-AFPD_UAMLIST="-U uams_clrtxt.so,uams_dhx.so"
+AFPD_UAMLIST="-U uams_dhx.so,uams_dhx2.so"
 
 # Change this to set the id of the guest user
 AFPD_GUEST=nobody
diff --git a/distrib/debian/logcheck/ignore.d.server b/distrib/debian/logcheck/ignore.d.server
index 3e3ce37e..bf7b562a 100644
--- a/distrib/debian/logcheck/ignore.d.server
+++ b/distrib/debian/logcheck/ignore.d.server
@@ -1,4 +1,4 @@
-afpd\[.*\]: ((dhx|cleartext) )?login: [[:alnum:]]+
+afpd\[.*\]: ((dhx|dhx2) )?login: [[:alnum:]]+
 afpd\[.*\]: (server_child\[[[:digit:]]+\] [[:digit:]]+ )?(done|exited 1)
 afpd\[.*\]: [\.[:alnum:]]+ read, [\.[:alnum:]]+ written
 afpd\[.*\]: .*: Broken pipe
@@ -18,6 +18,7 @@ afpd\[.*\]: logout [[:alnum:]]+
 afpd\[.*\]: registering [[:alnum:]]+ \(uid [[:digit:]]+\) on [\.[:digit:]]+ as /.+/net[\.[:digit:]]+node[[:digit:]]+
 afpd\[.*\]: session from [\.:[:digit:]]+ on [\.:[:digit:]]+
 afpd\[.*\]: uams_dhx_pam.c :PAM: PAM (Auth OK!|Success -- Success)
+afpd\[.*\]: uams_dhx2_pam.c :PAM: PAM (Auth OK!|Success -- Success)
 afpd\[.*\]: using codepage directory: /etc/netatalk/nls/maccode\.[\.[:alnum:]-]+
 atalkd\[.*\]: .*: Network is unreachable
 atalkd\[.*\]: zip gnireply from [\.[:digit:]]+ \(.* [[:digit:]]\)
diff --git a/distrib/initscripts/rc.atalk.debian.tmpl b/distrib/initscripts/rc.atalk.debian.tmpl
index 777ee3dd..e408819c 100644
--- a/distrib/initscripts/rc.atalk.debian.tmpl
+++ b/distrib/initscripts/rc.atalk.debian.tmpl
@@ -4,7 +4,7 @@
 #
 # Author:       Thomas Kaiser <Thomas.Kaiser@phg-online.de>
 #
-# Version:      $Id: rc.atalk.debian.tmpl,v 1.3 2009-03-31 14:08:35 franklahm Exp $
+# Version:      $Id: rc.atalk.debian.tmpl,v 1.4 2009-04-30 10:48:38 franklahm Exp $
 
 set -e
 
diff --git a/doc/DEVELOPER b/doc/DEVELOPER
index 9e308de7..82d702d3 100644
--- a/doc/DEVELOPER
+++ b/doc/DEVELOPER
@@ -108,7 +108,7 @@ Program: (see the GNU mirrors) /gnu/automake/automake-1.5.tar.gz
 
 Optional
 ========
-5. OpenSSL
+5. OpenSSL and/or Libgcrypt
 The OpenSSL Project is a collaborative effort to develop a robust,
 commercial-grade, full-featured, and Open Source toolkit implementing
 the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
@@ -118,6 +118,12 @@ This is required to enable DHX login support.
 
 Get everything at http://www.openssl.org/ 
 
+The Libgcrypt is a general purpose cryptographic library based on
+the code from GnuPG.
+This is required to enable DHX2 login support.
+
+Get everything at http://directory.fsf.org/project/libgcrypt/
+
 6. TCP Wrappers 
 Wietse Venema's network logger, also known as TCPD or LOG_TCP. These
 programs log the client host name of incoming telnet, ftp, rsh,
diff --git a/doc/FAQ b/doc/FAQ
index 0c3d8065..3a396ee7 100644
--- a/doc/FAQ
+++ b/doc/FAQ
@@ -1,5 +1,5 @@
 Netatalk Frequently Asked Questions
-($Id: FAQ,v 1.12 2003-02-24 23:33:14 srittau Exp $)
+($Id: FAQ,v 1.13 2009-04-30 10:48:38 franklahm Exp $)
 
 -----------------------------------------------------------------------------
 
@@ -616,6 +616,20 @@ A:   Most of the security for Netatalk must be derived from the
 
            http://www.openssl.org/ 
 
+       --with-libgcrypt-dir=[PATH]: specify path to Libgcrypt installation.
+
+         NOTE: This is dependent on the same directory layout as the
+         source distribution of Libgcrypt. That is: include/ and
+	 lib/ to be on the same level.
+         This is required to enable DHX2 login support, which
+         will encrypt all of the passwords being sent across the 
+         connection. (Some old Mac clients don't support this, check
+         this FAQ for the section on AppleShare clients.)
+         Check to see if your Unix has Libgcrypt already, or
+         get everything at:
+
+           http://directory.fsf.org/project/libgcrypt/
+
     Be aware that on the volumes that are shared, some of the 
     special folders (.AppleDesktop, "Network Trash Folder") get
     assigned. A lot of these get created as world-writable (because that's
diff --git a/etc/afpd/afp_options.c b/etc/afpd/afp_options.c
index 0785df30..f173d016 100644
--- a/etc/afpd/afp_options.c
+++ b/etc/afpd/afp_options.c
@@ -1,5 +1,5 @@
 /*
- * $Id: afp_options.c,v 1.42 2009-04-01 12:40:41 franklahm Exp $
+ * $Id: afp_options.c,v 1.43 2009-04-30 10:48:38 franklahm Exp $
  *
  * Copyright (c) 1997 Adrian Sun (asun@zoology.washington.edu)
  * Copyright (c) 1990,1993 Regents of The University of Michigan.
@@ -164,7 +164,7 @@ void afp_options_init(struct afp_options *options)
     options->systemvol.name = _PATH_AFPDSYSVOL;
     options->configfile = _PATH_AFPDCONF;
     options->uampath = _PATH_AFPDUAMPATH;
-    options->uamlist = "uams_clrtxt.so,uams_dhx.so";
+    options->uamlist = "uams_dhx.so,uams_dhx2.so";
     options->guest = "nobody";
     options->loginmesg = "";
     options->transports = AFPTRANS_ALL;