[OpenAFS] AES Support ?
Marcus Watts
mdw@spam.ifs.umich.edu
Wed, 26 Sep 2007 12:31:58 -0400
> Date: Wed, 26 Sep 2007 08:38:05 CDT
> To: jaltman@secure-endpoints.com
> cc: Marcus Watts <mdw@spam.ifs.umich.edu>, openafs-info@openafs.org
> From: John Hascall <john@iastate.edu>
> Subject: Re: [OpenAFS] AES Support ?
>
> Jeffrey Altman
> > John Hascall wrote:
> > >> What makes your cell "rxk5" capable is if you have an
> > >> "afs-k5@YOUR-REALM" service key.
> > >
> > > That seems icky. Why does it have to have a different name?
>
> > So that the clients have a way of knowing whether or not the cell
> > supports the rxk5 protocol.
>
>
> Wouldn't the normal Kerberos enctype negotiation do that?
> That is, if the client asks for {AES,DES} and if it gets
> back AES it knows it can use rxk5?
>
> John
Doesn't quite work. If the kdc knows the service supports {AES,RC4,DES}
then when a v5 client says it only does {DES}, the kdc will make up a
session key using DES, *and* then encrypts it using AES. The client is
now happy, but the existing server side rxkad v5 support can't hack that;
it errors out right away when it gets that. In fact, it can't easily
do anything better either - hacking up the KeyFile logic to support AES
would be ugly.
Equating enctype with protocol seems unwise anyways.
-Marcus Watts