[OpenAFS] OpenAFS and single DES

Jim Green jfgreen@msu.edu
Fri, 5 Oct 2012 14:13:56 -0400


Here at Michigan State, I'm leading a project to upgrade our MIT Kerberos
system from 1.6.3 to 1.10.x.  One thing we've discovered in our research is,
in order for AFS to work, we need to turn on support for single DES in our
Kerberos KDC.

Short of either OpenAFS being modified not to need single DES (doesn't seem
likely any time soon), or MSU dropping AFS (it's been suggested, but that's
complex logistically for us), what are the appropriate steps we should take
to mitigate the risk?  For example, I've been asked if there is any way to
limit single-DES to only those transactions that absolutely need it.  Which
made me realize that I actually do not understand which transactions
actually need it.

>From reading this post,
https://lists.openafs.org/pipermail/openafs-info/2010-March/033057.html, it
seems that OpenAFS client versions 1.4.12 and higher are doing something
like that on the client side, thereby doing away with the need to set
"allow_weak_crypto=true" in the Kerberos client, but allowing it for aklog
only.  Is that right?

Otherwise, does anyone have any other suggestions to make us feel better or
worse as far as what the exposure is and what steps we should take to
mitigate it?  I realize this is a Kerberos question but I'm thinking because
it relates to AFS some of you may have already put some thought into it as
well.

Thanks in advance