[OpenAFS] Afs and arcfour

David Botsch dwb7@ccmr.cornell.edu
Thu, 24 Jun 2004 16:30:34 -0400 

Kerb5 would be a good thing. There seems to be a reason that we don't 
want to install KfW on windows (perhaps some sort of conflict with the 
Cornell Kerberos received through Bear Access). I'll have to find out 
what that was and if it is still a valid reason.

At the moment, principals corresponding to users who have changed their 
passwords will have both (and if we can get Windows authing against the 
MIT kerberos server going, they will have a 3rd, one of the des-cbc-md5 
or the arcfour):
Triple DES cbc mode with HMAC/sha1, no salt
DES cbc mode with CRC-32, AFS version 3

The AFS principal itself has:
DES cbc mode with CRC-32, no salt

So, sounds like I might need to change that (but do I really?) and then 
generate a new KeyFile entry using the krb5 migration kit?

Yes, MIT Kerb5 is suppsoed to support rc4-hmac, but, with the following 
in my kdc.conf:

[realms]
  CCMR.CORNELL.EDU = {
   key_stash_file = /var/kerberos/krb5kdc/.k5.CCMR.CORNELL.EDU
   master_key_type = des-cbc-crc
   supported_enctypes = 
des3-cbc-sha1:normal,des-cbc-crc:afs3,des-cbc-md5:normal,arcfour-hmac-md5:normal
  }

Now, let's change the password for a user:

kadmin.local:  cpw bozo
Enter password for principal "bozo": Re-enter password for principal 
"bozo": Password for "bozo@CCMR.CORNELL.EDU" changed.

Ok, does he have all the encryption types specified above? No. Arcfour 
is missing.

kadmin.local:  getprinc bozo
Principal: bozo@CCMR.CORNELL.EDU
Expiration date: [never]
Last password change: Thu Jun 24 16:24:58 EDT 2004
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Thu Jun 24 16:24:58 EDT 2004 
(bozo/admin@CCMR.CORNELL.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 10, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 10, DES cbc mode with CRC-32, AFS version 3
Key: vno 10, DES cbc mode with RSA-MD5, no salt

Hopefully, I'm missing something obvious, here?

On 2004.06.24 16:13 Jeffrey Altman wrote:
> David Botsch wrote:
> 
>> Ack... saw this after writing my previous message...
>> 
>> so, it is beginning to sound like there are two ways to make Windows 
>> authing against the kdc coexist happily with krb4 clients:
>> 1. install mit kfw so that kerb5 is used by windows afs client
> 
> 
> wouldn't using Kerberos 5 be the way you would want to go?
> getting rid of Kerberos 4 is a good thing; and if your KDC support 
> Kerberos 5 why wouldn't you use it?
> 
>> 2. use the hmac/arcfour enctype (was my original try, altho whenever 
>> I put this type in kdc.conf, it would either be ignored by the kdc 
>> or kadmin would refuse to work with a "required missing parameter in 
>> kdc.conf" error).
> 
> MIT Kerberos 5 1.3.3 does support RC4-HMAC and if the client sends 
> that enctype in
> a TGS_REQ the KDC will reply with it.   You need to make sure though 
> that the Kerberos
> principal(s) for the afs cell(s) served by your KDC only have the 
> des-cbc-crc enctype
> associated with them.
> 
> What is used by the client for its TGT does not matter as long as the 
> service ticket uses
> DES-CBC-CRC:AFS
> 
> Jeffrey Altman.
> 
> 

-- 
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************