[OpenAFS] Re: More questions about the re-keying document

[Andrew Deason]

On Fri, 26 Jul 2013 09:45:13 -0500
Andrew Deason <adeason@sinenomine.net> wrote:

> To summarize: in MIT you do not want any DES keys in rxkad.keytab or
> in the KDC's db. In Heimdal you do not want any DES keys in
> rxkad.keytab, but you must have a DES key in the KDC's db due to how
> it selects session keys. (This is for all versions of Heimdal; there
> are no version exceptions that I know of, besides a patch that Sergio
> is developing.)

As someone else brought up with me, the above only applies if you care
about supporting old clients. If you control all of the clients and
upgrade all of them first, you don't need a DES key in Heimdal, and so
you don't need to worry about a lot of this stuff. (This needs to be
clarified in how-to-rekey.txt, too...)

-- 
Andrew Deason
adeason@sinenomine.net