[OpenAFS] Re: OpenAFS 1.7.26 windows and not changed AFS service principle - OK?

Jeffrey Hutzelman jhutz@cmu.edu
Thu, 25 Jul 2013 13:23:54 -0400


On Thu, 2013-07-25 at 11:38 -0500, Andrew Deason wrote:
> On Thu, 25 Jul 2013 11:36:52 -0400 (EDT)
> Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> 
> > and in the absence of other information, the KDC should not assume
> > that a service supports an enctype for which it has no long-term key.
> 
> After thinking about this, it seems like we could make this more robust,
> if the KDC doesn't do this. The behavior we're desiring is that a KDC
> just _prefers_ using session key enctypes where it has an associated
> long-term key, if the client doesn't specify an enctype.

Huh?  No, the client doesn't specify an enctype; it provides a list of
the enctypes it supports.  If the list is empty, the authentication will
fail.  At the API layer, Kerberos libraries generally offer the ability
for an application not to specify particular enctypes; what this means
is that the library sends a list of everything it supports (or, in some
circumstances, perhaps the intersection of "everything it supports" with
"everything in this keytab").

The text in RFC4120 is unfortunately scattered and a bit vague, but the
intent is that the KDC must select an enctype from the client-provided
list.  Further, it must select an enctype which is supported by the
target service.  Both MIT and Heimdal determine this based on the list
of enctypes stored for that service in the Kerberos database.  So, the
selected session key must use an enctype that is both on the client's
list _and_ in the service's list of long-term keys.



> if a client specifically requests e.g. a DES session key when the
> principal only has an AES long term key, we do get the DES session key
> (unless DES has been disabled kdc-wide or whatever).

This happens only with an MIT Kerberos KDC, which assumes that services
support DES-CBC-MD5 even when they have no keys of that type.  This is a
reasonable assumption because implementation of DES-CBC-MD5 is
mandatory.


However, this thread is about Windows, not MIT or Heimdal.