[OpenAFS] OpenAFS and single DES
Fri, 5 Oct 2012 14:11:59 -0700
On Fri, Oct 5, 2012 at 11:23 AM, Benjamin Kaduk <firstname.lastname@example.org> wrote:
> You can limit your exposure by having the afs/cell@realm principal be the
> only principal in the database with a single DES key. The default_enctypes
> do not need to include single-DES, and you can safely make both user
> principals and krbtgt/realm have no weak keys, the weak crypto will only be
> used to obtain an afs service ticket (and the corresponding token).
Are you absolutely sure this is true? I have vague recollections that you
need single DES keys on the krbtgt key to get single DES tickets. But
it's late and I haven't had lunch yet so I may be misremembering.
> I would expect that completely removing single DES (with the exception of
> AFS) would require a year or more to transition fully, in a large
I'm puzzled here as well. Once you remove them offending service keys
from the KDC,
isn't the process more or less done? I know in hiemdal at least that
it's trivial to remove
just a specific enctype from a service principal w/o affecting the
rest of the keys.
- Booker C. Bense