[OpenAFS] AES Support ?
Christopher D. Clausen
cclausen@acm.org
Wed, 26 Sep 2007 08:15:32 -0500
John Hascall <john@iastate.edu> wrote:
>> What makes your cell "rxk5" capable is if you have an
>> "afs-k5@YOUR-REALM" service key.
>
> That seems icky. Why does it have to have a different name?
I suspet that if it had the same name, the enc-types would be confused
with AES vs. DES in the current clients. Additionally, using a
different service principal ensures that only binaries that are setup to
use the new principal will attempt to do so, allowing for current
clients and servers to keep working while adding support for rxk5 to
your cell, one server / client at a time.
I'm assuming that something like afs-k5/cellname@REALM will work, as I
already have multiple AFS cells using the same Kerberos realm.
<<CDC