[OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document

Harald Barth haba@kth.se
Wed, 31 Jul 2013 07:28:50 +0200 (CEST)

> This is an incorrect description.

That might very well be, but I thought it was better than nothing
because others who are in trouble might want to know that they are not
alone ;-/

> The explicit problem occurs when the
> following combination is true:
>  1. user has one or more strong enctype keys with non-default
>     password salts
>  2. the only keys with default password salts are weak enctypes

I don't know how the user would have ended up with that combination
and I don't know how the enctype list looked before the user was told
to change password.

>  3. preauth is required

As 1.5.x seems to have the bug that you can't turn it off, yes of

> In this combination, the strong enctype with the non-default password
> salt will not be recommended to the client in the pa-etype-info or
> pa-etype-info2 data sent with the preauth required error reply.

And what would happen if there is no strong enctype at all?

> Since no pa-etype hint was provided the client chooses its preferred
> enctype which is aes256.

> A correction has been prepared and will be submitted after testing.