[OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document

Harald Barth haba@kth.se
Tue, 30 Jul 2013 12:57:04 +0200 (CEST)

> Secure Endpoints has pushed fixes to https://github.com/heimdal/heimdal
> for both the 'master' (aka pre-1.6) and 'heimdal-1-5-branch' branches.

Warning: Real-life results show that the code path for preauth always
seems to go through the strongest enctype configured (for example
aes256), even if the users principal does not have a key of that
enctype. So these users (*) will not be able to obtain tickets any
more (at least not without password change to get those new keys).

A more detailed report will probably follow from the testers.


(*) for example users with enctypes up to aes128 who have not changed
their password since the newest enctype aes256 has been available.