[OpenAFS] Heimdal KDC bug mentioned in rekeying document

Russ Allbery rra@stanford.edu
Fri, 26 Jul 2013 13:39:22 -0700

Derrick Brashear <shadow@gmail.com> writes:
> Sergio Gelato <Sergio.Gelato@astro.su.se>wrote:

>> I'm compiling my next (and hopefully final) iteration right now.
>> I went for this variant:
>>         if (clientbest != (krb5_enctype)ETYPE_NULL &&
>>             enctype == (krb5_enctype)ETYPE_NULL) {
>>             enctype = clientbest;
>>             if (ret_key == NULL)
>>                 ret = 0;
>>         }

> This plus
> [kdc]svc-use-strongest-session-key=true

> Works.

svc-use-strongest-session-key looks like it still tries to find something
in the common subset of supported keys between the client and server, and
legacy aklog sends only des-cbc-crc as its supported keys.  So how could
this work?  Isn't there still no common subset with a principal that has
no DES keys?

And, in 1.5.2, since the server key is forced to the service key (per
later discussion), if there *is* a DES key for the afs/* principal,
doesn't that result in using a DES long-term key, thus making the update
mostly pointless?

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>