[OpenAFS] More questions about the re-keying document

stephen@physics.unc.edu stephen@physics.unc.edu
Fri, 26 Jul 2013 10:14:59 -0400 (EDT)

On Thu, 25 Jul 2013, Benjamin Kaduk wrote:

> Some versions of Heimdal have a KDC bug wherein the ticket enctype is always 
> the same as the session key enctype; in these cases the DES key is needed in 
> the rxkad.keytab (and the KeyFile).

Forgive me if I'm missing an obvious answer, but in this situation, is the 
cell still vulnerable to the DES attack we're attempting to remediate?

> In all other cases, you should not have 
> the DES key in the rxkad.keytab or KeyFile.  You can check whether your 
> Heimdal KDC has this bug by using a DES-only client (with 
> default_tgs_enctypes in krb5.conf, if needed) to request a service ticket 
> (say, with kgetcred) for a service that has a non-DES key in the KDB.  If 
> 'klist -v' shows the Ticket etype as being des (as well as the sesion etype), 
> then the KDC is buggy.
> -Ben