[OpenAFS] Re: klog.krb5 incompatible with Heimdal 1.5.1?

Andreas Haupt ahaupt@ifh.de
Fri, 14 Oct 2011 14:38:00 +0200

Hi Jeffrey,

On Fri, 2011-10-14 at 08:02 -0400, Jeffrey Altman wrote:
> Andreas:
> Wireshark cannot show you the type of the session key since that key is
> only visible to parties that are capable of decrypting the encrypted
> portions of the response.  It is the session key that must be des-cbc-*
> and which is instead aes256-cts-hmac-sha1-96 in the 1.5.1 case.

OK, learned something again ...

> klog.krb5 should be setting an explicit request for a des-cbc-crc
> session key.  That is a bug which must be fixed.  It should be reported
> to openafs-bugs@openafs.org.


> Heimdal 1.5.1 should also be restricting the session key to one of the
> encryption types that are known to the afs@IFH.DE principal.  That is
> also a bug and should be reported on the heimdal mailing list.

Done, as well.

| Andreas Haupt             | E-Mail: andreas.haupt@desy.de
|  DESY Zeuthen             | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6          | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen          | Fax:    +49/33762/7-7216