[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2013-0003
Douglas E. Engert
deengert@anl.gov
Wed, 24 Jul 2013 11:50:37 -0500
On 7/24/2013 11:10 AM, Benjamin Kaduk wrote:
> On Wed, 24 Jul 2013, Douglas E. Engert wrote:
>
>> Question: Once the 1.6.5 binaries are in place, and the servers
>> start using the rxkad.keytab, will the server still accept
>> existing DES based tokens that use keys and kvno that
>> are only in the KeyFile?
>
> Yes. In fact, the code path for tokens using keys in the KeyFile (all single-DES keys, really) is nearly unchanged. Only non-DES enctypes take the codepath with the new decrypter that knows about
> rxkad.keytab.
Your answer implies even if we have a single DES entry in the
rxkad.keytab we also have to have it in the KeyFile.
Is that correct?
I was expecting you to say for single DES, it would first look in the
rkkad.keytab and if the KVNO was not found look in the KeyFile.
>
> -Ben
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444