[OpenAFS] OpenAFS and single DES

Booker Bense bbense@gmail.com
Mon, 8 Oct 2012 15:51:30 -0700


On Mon, Oct 8, 2012 at 10:05 AM, Jim Green <jfgreen@msu.edu> wrote:
> Thanks for the responses, this is very helpful. One question:  are you
> saying that if our existing user principals have both AES and DES encrypted
> keys that it is possible to remove the DES keys without having to force all
> our users to change their passwords (e.g. with kdb_util dump/load)?  It
> seems to me I've read conflicting opinions on that.

You can definitely remove the keys with a Heimdal kdc. It's one of the
kadmin commands.
It's not so clear to me how to do that with an MIT kdc.

> When MSU rolled out Kerberos 5 in 2005 we did force everyone to change their
> passwords and my understanding is they all got triple-DES and AES keys in
> addition to DES at that time and going forward.
>

Well, that's definitely step 1 in the process and probably the most
user visible source
of pain.

- Booker C. Bense