[OpenAFS] AES Support ?

Russ Allbery rra@stanford.edu
Thu, 27 Sep 2007 11:23:25 -0700

John Hascall <john@iastate.edu> writes:

>   Previously in this discussion it was said you need to upgrade all your
>   servers before you start upgrading your clients.  So if, (on that day
>   that some other cell deletes "afs"), you haven't progressed far enough
>   in your transition to where you can upgrade your clients, it sounds to
>   me like you are in trouble.

>   And, you have the ever-increasing weakness of DES keys which I presume
>   will be pushing some cells to try to complete the transition as fast as
>   possible.

>   This, to me, seems to be the sort of thing people need to be aware of
>   for planning purposes.

You cannot turn off use of DES keys for AFS in your cell without a flag
day.  You will be able to permit upgraded clients to use stronger
encryption types without a flag day.

This is fairly normal for transitions of this sort.  Turning something off
is almost always a flag day.  The same is true of disabling DES keys in
your Kerberos v5 realm (have you done that yet?).

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>