[OpenAFS] Done the rekeying of my cell, but unpatched clients still works
Jose Manuel dos Santos Calhariz
jose.calhariz@netvisao.pt
Wed, 08 Jan 2014 18:11:08 +0000
I have a cell of OpenAFS and a kerberos5 realm for tests. I have done
the re-keying
of afs/celname@REALMNAME as explained in
http://openafs.org/pages/security/install-rxkad-k5-1.6.txt
http://openafs.org/pages/security/how-to-rekey.txt
But I have made some mistake somewhere, because when I test with
unpatched clients
1.4.x they still authenticate.
My setup is:
My server is a Debian wheezy running kerberos 1.10.1+dfsg-5+deb7u1
and openafs
1.6.5.2-1~bpo70+1
On the server ls -alF /etc/openafs/server:
-rw-r--r-- 1 root root 56 Jan 8 11:37 CellServDB
-rw-r--r-- 1 root root 50 Jan 3 19:48 CellServDB.old
-rw------- 1 root root 100 Jan 7 17:22 KeyFile.old
-rw------- 1 root root 314 Jan 7 19:06 rxkad.keytab
-rw-r--r-- 1 root root 15 Jan 6 19:46 ThisCell
-rw-r--r-- 1 root root 10 Jan 3 19:52 UserList
ktutil: rkt /etc/openafs/server/rxkad.keytab
ktutil: list -e
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 3 afs/cellname@REALMNAME (aes256-cts-hmac-sha1-96)
2 3 afs/cellname@REALMNAME (aes128-cts-hmac-sha1-96)
3 3 afs/cellname@REALMNAME (des3-cbc-sha1)
4 3 afs/cellname@REALMNAME (arcfour-hmac)
I have done "bos restart -all localhost" and "reboot" to the server.
The client is running a mix of software:
openafs-client 1.4.2-6etch3
openafs-krb5 1.4.2-6etch3
openafs-modules-2.6.18-6-686 1.4.7.dfsg1-6+lenny1+4
Jose Calhariz