[OpenAFS-devel] Suggestions to avoid troubling using Kerberos 5 with OpenAFS

Ken Hornstein kenh@cmf.nrl.navy.mil
Mon, 12 Nov 2001 01:10:14 -0500


>Solution 2:	    Aklog and friends should be instrumented to request
>		    specifically a DES-CBC-CRC32 key.. If one cannot be
>		    had from the TGS -- it should whine with an
>		    appropriate error message.

When aklog was v5-ized way back when:

a) V5 only supported single-DES
b) There wasn't (from my reading of it) an API that allowed you to select
   a specific encryption type.

I'd have to lean toward solution 1, actually ... because generally
you shouldn't create a particular encryption key for a service
unless that service supports it, and I'd hate to cripple aklog now
and select a weaker encryption type later on when AFS supports
native V5 (although I'm not sure aklog will still be relevant when
AFS has native V5 support, or if the API will be the same ... Jeff?)

One of these days I'm going to update the damn V5 migration kit, honest :-)

--Ken