[OpenAFS] Heimdal KDC bug mentioned in rekeying document

Jeffrey Hutzelman jhutz@cmu.edu
Thu, 25 Jul 2013 13:07:46 -0400

On Thu, 2013-07-25 at 09:11 -0400, stephen@physics.unc.edu wrote:
> Hi,
> In the cell rekeying instructions found at 
> <http://openafs.org/pages/security/how-to-rekey.txt>, there is a note for 
> sites using Heimdal KDCs. It mentions a bug present in "certain versions" 
> of the Heimdal KDC software which completely disables DES on the AFS 
> service principal when following the document's instructions.
> Is more information available about specific versions of the Heimdal KDC 
> software which exhibits this bug? The document mentions experimentally 
> verifying ticket acquisition, which seems wise. But also knowing the KDC 
> versions which have the bug would be beneficial.
> Anyone have this info? Should I post to a heimdal list instead?

The bug in question essentially means that issued service tickets will
always have the same service and session key enctypes, so you must
choose between sticking with DES and breaking all existing
token-acquiring clients which do not have the new rxkad-kdf code
introduced in OpenAFS 1.6.5 and 1.4.15.  If I correctly remember my trip
through the git repositories on Tuesday evening, the problem was most
recently fixed prior to Heimdal 1.5.0, so if you are running that
version you should not have a problem.

To test, first perform the upgrade as described, but be careful that the
new key set includes DES keys.  A Heimdal KDC will not issue tickets
with DES session keys if the service does not have a DES key in the
Kerberos database.  Once you've installed the rxkey.keytab files on all
of your servers and made the new keys available in the Kerberos
database, get fresh tickets and run aklog to get AFS tokens.  Then run
'klist -v' and look at the entry for your AFS tickets.  If you have an
entry like the one below, showing both a non-des "Ticket etype" and a
DES "Session key", then everything is working.  If it shows only a DES
"Ticket etype" and no separate "Session key" line, then your KDC has the

Example klist -v output (partial):
> Server: afs@CS.CMU.EDU
> Client: jhutz@CS.CMU.EDU
> Ticket etype: des3-cbc-sha1, kvno 2
> Session key: des-cbc-crc
> Ticket length: 237
> Auth time:  Jul 25 11:55:20 2013
> Start time: Jul 25 11:55:21 2013
> End time:   Jul 26 13:21:41 2013
> Ticket flags: transited-policy-checked, pre-authent, proxiable, forwardable
> Addresses: addressless

I'm afraid I can't say which all versions are affected.  Searching
through the tree I was able to find the bug fixed at least twice, once
in 1997 and once in 2011.  It was first reintroduced sometime in 1998 or
1999, but the comments on the 2011 commit lead me to believe that in the
interim, it was at one point fixed and then reintroduced again.  So,
there are likely at least three ranges of heimdal versions which contain
this bug, the most recent of which ends prior to version 1.5.0.

-- Jeff