[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2013-0003

Douglas E. Engert deengert@anl.gov
Wed, 24 Jul 2013 11:50:37 -0500

On 7/24/2013 11:10 AM, Benjamin Kaduk wrote:
> On Wed, 24 Jul 2013, Douglas E. Engert wrote:
>> Question: Once the 1.6.5 binaries are in place, and the servers
>> start using the rxkad.keytab, will the server still accept
>> existing DES based tokens that use keys and kvno that
>> are only in the KeyFile?
> Yes.  In fact, the code path for tokens using keys in the KeyFile (all single-DES keys, really) is nearly unchanged.  Only non-DES enctypes take the codepath with the new decrypter that knows about
> rxkad.keytab.

Your answer implies even if we have a single DES entry in the
rxkad.keytab we also have to have it in the KeyFile.
Is that correct?

I was expecting you to say for single DES, it would first look in the
rkkad.keytab and if the KVNO was not found look in the KeyFile.

> -Ben


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444