[OpenAFS] More questions about the re-keying document
stephen@physics.unc.edu
stephen@physics.unc.edu
Fri, 26 Jul 2013 10:14:59 -0400 (EDT)
On Thu, 25 Jul 2013, Benjamin Kaduk wrote:
> Some versions of Heimdal have a KDC bug wherein the ticket enctype is always
> the same as the session key enctype; in these cases the DES key is needed in
> the rxkad.keytab (and the KeyFile).
Forgive me if I'm missing an obvious answer, but in this situation, is the
cell still vulnerable to the DES attack we're attempting to remediate?
> In all other cases, you should not have
> the DES key in the rxkad.keytab or KeyFile. You can check whether your
> Heimdal KDC has this bug by using a DES-only client (with
> default_tgs_enctypes in krb5.conf, if needed) to request a service ticket
> (say, with kgetcred) for a service that has a non-DES key in the KDB. If
> 'klist -v' shows the Ticket etype as being des (as well as the sesion etype),
> then the KDC is buggy.
>
> -Ben
Cheers,
Stephen