[OpenAFS] OpenAFS and single DES

Booker Bense bbense@gmail.com
Fri, 5 Oct 2012 14:11:59 -0700

On Fri, Oct 5, 2012 at 11:23 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:

> You can limit your exposure by having the afs/cell@realm principal be the
> only principal in the database with a single DES key.  The default_enctypes
> do not need to include single-DES, and you can safely make both user
> principals and krbtgt/realm have no weak keys, the weak crypto will only be
> used to obtain an afs service ticket (and the corresponding token).

Are you absolutely sure this is true? I have vague recollections that you
need single DES keys on the krbtgt key to get single DES tickets. But
it's late and I haven't had lunch yet so I may be misremembering.

> I would expect that completely removing single DES (with the exception of
> AFS) would require a year or more to transition fully, in a large
> deployment.

I'm puzzled here as well. Once you remove them offending service keys
from the KDC,
isn't the process more or less done? I know in hiemdal at least that
it's trivial to remove
just a specific enctype from a service principal w/o affecting the
rest of the keys.

- Booker C. Bense