[OpenAFS] permission issue when trying to switch kerberos realms.

Harald Barth haba@kth.se
Wed, 17 Jan 2018 11:18:44 +0100 (CET)

I wrote 

>>I actually don't know how high a kvno can be but up to 32767 (2^15-1)
>>"feels" safe.

That was probably WRONG as Sergio pointed out to me.

Sergio wrote:
> It doesn't feel all that safe to me. True, RFC 4120 specifies the kvno as
> UInt32, but https://k5wiki.kerberos.org/wiki/Projects/Larger_key_versions
> makes interesting reading. Version 1.14 isn't all that old; Debian 8 only
> has version 1.12.
> Maybe if one requires rxkad-k5 it's OK to have kvno>255, but back in
> Kerberos 4 days it definitely wasn't. The OpenAFS code base still contains
> things like
>     if (kvno > 255)
>         return KAANSWERTOOLONG;
> (in src/kauth/krb_udp.c) and
> @t(kvno)@\is a @b(one byte) key identifier associated with the key.  It
> will be included in any ticket created by the AuthServer encrypted with
> this key.
> (in src/kauth/AuthServer.mss).

One byte. Auch.

So until rxkad-k5 (around the corner - just kidding) we are probably
stuck with that. So if you want to devide your KVNO space into two
parts, around 100 for each is what you get :-(