[OpenAFS] Problem getting AFS tokens on debian...

Russ Allbery rra@stanford.edu
Mon, 18 Jan 2010 22:41:21 -0800


Jan Pospisil <honik@kma.zcu.cz> writes:
> On Mon, 18 Jan 2010, at 12:53 -0800, Russ Allbery wrote:

>> Because it's "allow_weak_crypto", not "allow_weak_enctypes".  Otherwise,
>> yes, that's the problem and that should fix it.

> Thank you very much, this really helped.

> By the way, what are the best practices to avoid "weak crypto"? Do you
> (not only in Stanford) have all the krb5/afs keys in DES3, AES, ...?

Currently, you can't avoid DES for AFS without using experimental code.
The assumption of DES is encoded deep in the Rx security layer used for
the AFS network protocols.  There are two efforts underway to update AFS's
security handling to use all available Kerberos enctypes, and I'm very
hopeful that this situation won't persist for much longer.

In general, I think few large sites have completely migrated off of DES.
At Stanford, we've started, in that all newly created principals get
Triple-DES and 256-bit AES enctypes as well, so most wire traffic now uses
AES encryption, but we've not yet started to push to update the enctypes
of keys that haven't been changed or to start deleting the DES enctypes.
We're going to ensure all central system keys are updated this calendar
year and try to phase out DES entirely sometime next calendar year.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>