[OpenAFS] Re: scan client version

Russ Allbery rra@stanford.edu
Thu, 01 Aug 2013 10:57:18 -0700


Andrew Deason <adeason@sinenomine.net> writes:

> Perhaps to say it more explicitly, rxkad-kdf does not make our security
> any "better" over rxkad-k5 in terms of crypto. All it does is allow you
> to say "I've turned off single DES completely on the KDC", and have AFS
> still work. That is arguably improved security from a policy standpoint
> and such, but as far as the crypto we actually use on the wire,
> everything is of exactly the same strength between rxkad-kdf and
> rxkad-k5.

Well, it doesn't make AFS better, but it does potentially make the rest of
your Kerberos realm better, because it means you can throw the global
"allow-weak-crypto" switch on your KDC.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>