[OpenAFS] afs krb5 migration

Forrest D. Whitcher fw@fwsystems.com
Mon, 23 Apr 2001 12:34:07 -0400 

Ken, et al.

Yes, I think I understood what you say.


Ken Hornstein wrote:
> 
> >I suppose there is a bug in the ktadd command that prevent it from
> >obeying the kdc.conf configurations so that no afs-aware keys are
> >generated.
> 
> Whoah, hold on a second here.
> 
> The "key salt" perhaps the most misunderstood thing in Kerberos.  It
> is ONLY used for converting a user's plaintext password into an encryption
> key.  Saying it's an "afs-aware" key is a COMPLETE misnomer.  ktadd
> doesn't generate those other salted keys, because they're completely
> meaningless - there's no plaintext password that corresponds to the
> encryption key that ktadd generates (well, there MAY be one, but we
> don't know what it is :-) ).  

ktadd -k creates a random (and hopefully not weak) plaintext key and
k5 docs say the [3]des routines check for weak resultant des keys and 
use XOR's etc to 'un-weaken' them if required.

>I suspect the larger problem is that the 3DES
> key was confusing things in there (but I'm not sure exactly where things
> were breaking).

Simply going by the empirical data :-)

It broke when not using kadmin - ktadd with '-e des-cbc-crc:afs3'. It might 
have also worked if I had specified '-e des-cbc-crc' and it's not hard to see
that the default kadmin - ktadd behavior, yes, wrote a 3des key which 
I don't think the afs routines that read the KeyFile know handle. 

I have no idea if kadmin-ktadd was also by default writing the other
keys, or what 'asetkey' would do with the krb5.keytab key(s) for the
afs principal, whatever it was, it didn't work. (Several other things
changed between the K5 release 1.x for which Ken wrote the migration
kit, this *could* be another?)

The only thing that doesn't seem to be working as-documented is the
documented ability of the '-e' ktadd option to write multiple keys.
It says when you spec -e you can create / write specific non-default 
keytypes. It also says that you can create / write multiple keytypes.
I was not able to get multiples to work, tried all interpretations of
the syntax I could think of.

It doesn't matter in this case, I only needed a k4 (perhaps afs-salted)
key, ktadd -k -e ... did that. I'm interested to know what else it is 
supposed to be able to do, but not for any operational problem.

As the afs principal's key is FIPS-des, I guess I will create a crontab
job to create and transfer new afs principal keys on a regular basis. 
Is this standard practice?

forrest

> 
> --Ken

-- 
Forrest Whitcher    Principal      FW Systems 
617.254.3506                       fw@fwsystems.com                 
fw@world.std.com                   6174803245@mobile.att.net
Information systems consulting     http://www.fwsystems.com