[OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document

Andrew Deason adeason@sinenomine.net
Thu, 25 Jul 2013 10:03:18 -0500


On Thu, 25 Jul 2013 09:11:38 -0400 (EDT)
stephen@physics.unc.edu wrote:

> In the cell rekeying instructions found at
> <http://openafs.org/pages/security/how-to-rekey.txt>, there is a note
> for sites using Heimdal KDCs. It mentions a bug present in "certain
> versions" of the Heimdal KDC software which completely disables DES on
> the AFS service principal when following the document's instructions.
> 
> Is more information available about specific versions of the Heimdal
> KDC software which exhibits this bug? The document mentions
> experimentally verifying ticket acquisition, which seems wise. But
> also knowing the KDC versions which have the bug would be beneficial.

Sorry about that; this was raised very shortly before the issue became
public; I wanted this note to be in there even if we couldn't provide
full information, so you would be aware that _something_ was wrong with
this.

Allegedly it exists in 1.4 and possibly all earlier versions, and is
fixed somewhere around 1.5. However, it has apparently been fixed
reintroduced a couple of times, so I'm not sure if such a simple
versions range is accurate. All I've actually verified so far is that it
definitely is a problem on Debian's 1.4.0~git20100726.dfsg.1-2+squeeze1.

> Anyone have this info? Should I post to a heimdal list instead?

I'm looking around for some kind of reference I can provide for the
issue or something. For now, if you want more info, you can ask the
heimdal list; I'll probably do that later, but if you get to it before
me, it would be helpful :)

-- 
Andrew Deason
adeason@sinenomine.net