[OpenAFS] Questions about AFS security

Derrick J Brashear shadow@dementia.org
Sun, 20 Jan 2002 21:20:43 -0500 (EST)


On 20 Jan 2002, Patrick J. LoPresti wrote:

> Derek Atkins <warlord@MIT.EDU> writes:
> 
> > Pat, using krb524 does not open you up to the offline password
> > guessing attackes because krb524d is just another v5 service.  You
> > need to supply a valid v5 ticket before it will give you a v4
> > ticket.
> 
> Ah, OK, that makes sense.  I was under the (mistaken) impression that
> krb524 was how v4 clients authenticated against a v5 server.  So now I
> take it that such clients talk to the KDC directly using some
> backwards-compatibility mode, and that I can disable that on the KDC
> if we have no v4 clients?

Correct.