[OpenAFS] Questions about AFS security
Derrick J Brashear
shadow@dementia.org
Sun, 20 Jan 2002 21:20:43 -0500 (EST)
On 20 Jan 2002, Patrick J. LoPresti wrote:
> Derek Atkins <warlord@MIT.EDU> writes:
>
> > Pat, using krb524 does not open you up to the offline password
> > guessing attackes because krb524d is just another v5 service. You
> > need to supply a valid v5 ticket before it will give you a v4
> > ticket.
>
> Ah, OK, that makes sense. I was under the (mistaken) impression that
> krb524 was how v4 clients authenticated against a v5 server. So now I
> take it that such clients talk to the KDC directly using some
> backwards-compatibility mode, and that I can disable that on the KDC
> if we have no v4 clients?
Correct.