[OpenAFS] AES Support ?
Russ Allbery
rra@stanford.edu
Thu, 27 Sep 2007 11:23:25 -0700
John Hascall <john@iastate.edu> writes:
> Previously in this discussion it was said you need to upgrade all your
> servers before you start upgrading your clients. So if, (on that day
> that some other cell deletes "afs"), you haven't progressed far enough
> in your transition to where you can upgrade your clients, it sounds to
> me like you are in trouble.
> And, you have the ever-increasing weakness of DES keys which I presume
> will be pushing some cells to try to complete the transition as fast as
> possible.
> This, to me, seems to be the sort of thing people need to be aware of
> for planning purposes.
You cannot turn off use of DES keys for AFS in your cell without a flag
day. You will be able to permit upgraded clients to use stronger
encryption types without a flag day.
This is fairly normal for transitions of this sort. Turning something off
is almost always a flag day. The same is true of disabling DES keys in
your Kerberos v5 realm (have you done that yet?).
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>