[OpenAFS] AES Support ?

Steve Simmons scs@umich.edu
Tue, 2 Oct 2007 16:01:08 -0400


On Sep 27, 2007, at 2:32 PM, John Hascall wrote:

>>                               The same is true of disabling DES  
>> keys in
>> your Kerberos v5 realm (have you done that yet?).
>
> Surely you jest, we're still struggling to get rid of K4.

Actually, our k4 to k5 conversion turned out to be a reasonable (if  
exhausting) model of how to do it -

Start monitoring k4 use and twisting arms.

Escalated threats^H^H^H^H^H^H^H efforts accompanied by examples from  
other universities getting hacked ("You don't want to wind up like  
Ohio State" is a very potent phrase at Michigan).

Rolling cycles of:

1. Pick a subnet
2. Identify k4 users/hosts
3. Announce to them a date that k4 will stop working, repeatedly in  
their face. "Yes, we mean you."
4. Filter out k4 traffic on date.
5. If no problems, done. Otherwise loosen up filter a bit and return  
to step 3 for ever-smaller set of users.

You can do many subnets simultaneously.

I think it took us nearly a year, but my brain refuses to disgorge  
the details. And we still have a few legacy administrative hosts  
doing k4, but it's completely blocked for everything except those few  
IP addresses. And those machines are in process of being de-commed.  
Which reminds me, I need to go power down one of them.

The same process has to be applied with DES.