[OpenAFS] Re: [OpenAFS-announce] OpenAFS Security Advisory 2013-0003

Benjamin Kaduk kaduk@MIT.EDU
Wed, 24 Jul 2013 13:13:36 -0400 (EDT)


On Wed, 24 Jul 2013, Douglas E. Engert wrote:

>
>
> On 7/24/2013 11:10 AM, Benjamin Kaduk wrote:
>> On Wed, 24 Jul 2013, Douglas E. Engert wrote:
>> 
>>> Question: Once the 1.6.5 binaries are in place, and the servers
>>> start using the rxkad.keytab, will the server still accept
>>> existing DES based tokens that use keys and kvno that
>>> are only in the KeyFile?
>> 
>> Yes.  In fact, the code path for tokens using keys in the KeyFile (all 
>> single-DES keys, really) is nearly unchanged.  Only non-DES enctypes take 
>> the codepath with the new decrypter that knows about
>> rxkad.keytab.
>
> Your answer implies even if we have a single DES entry in the
> rxkad.keytab we also have to have it in the KeyFile.
> Is that correct?

Yes.

>
> I was expecting you to say for single DES, it would first look in the
> rkkad.keytab and if the KVNO was not found look in the KeyFile.

this is an artifact of how we retained the old codepath for existing keys. 
Perhaps it should be better documented.

-Bex