Feature: libcrmcommon: Deprecate anonymous authentication.

clumens · clumens · commit 8073ebf20055 · 2026-03-04T12:51:19.000-05:00
This is an insecure authentication method where we an encrypted TLS
channel for communication, but there's no authentication on the channel
beyond that.  Well, that's not completely true - for remote CIB
operations, you do still need a username and password.  However, the
username is always the same so that's easy for people to figure out.

Instead, people should be using X509 certificates or PSK.  A future
release will remove support for anonymous authentication and require use
of one of those other mechanisms.

Fixes T961
diff --git a/lib/common/tls.c b/lib/common/tls.c
@@ -182,6 +182,10 @@ pcmk__init_tls(pcmk__tls_t **tls, bool server, bool have_psk)
     (*tls)->server = server;
 
     if ((*tls)->cred_type == GNUTLS_CRD_ANON) {
+        pcmk__warn("Using anonymous authentication.  This is insecure and will "
+                   "be removed in a future release.  Use PSK or X509 certificates "
+                   "instead.");
+
         if (server) {
             gnutls_anon_allocate_server_credentials(&(*tls)->credentials.anon_s);
             gnutls_anon_set_server_dh_params((*tls)->credentials.anon_s,
