[OpenAFS-devel] Suggestions to avoid troubling using Kerberos 5 with OpenAFS
Sam Hartman
hartmans@mekinok.com
13 Nov 2001 13:29:07 -0500
>>>>> "Ken" == Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
>> Solution 2: Aklog and friends should be instrumented to request
>> specifically a DES-CBC-CRC32 key.. If one cannot be had from
>> the TGS -- it should whine with an appropriate error message.
Ken> When aklog was v5-ized way back when:
Ken> a) V5 only supported single-DES b) There wasn't (from my
Ken> reading of it) an API that allowed you to select a specific
Ken> encryption type.
Ken> I'd have to lean toward solution 1, actually ... because
Ken> generally you shouldn't create a particular encryption key
Ken> for a service unless that service supports it, and I'd hate
Ken> to cripple aklog now and select a weaker encryption type
Ken> later on when AFS supports native V5 (although I'm not sure
Ken> aklog will still be relevant when AFS has native V5 support,
Ken> or if the API will be the same ... Jeff?)
While I agree that you should only create the afs service with a
single-des enctype, I think you should also fix aklog to only request
single-des enctypes. Converting a non-single-des session-keyed ticket
to krb4 will never produce useful results. So, as long as aklog uses
krb524, it will never be appropriate to grab 3des or rc4 or aes
tickets.
I don't think we are likely to find useful ways to change aklog to not
call krb524 without modifying the code, so this seems a reasonable
source change to make.