[OpenAFS] Heimdal KDC bug mentioned in rekeying document
Russ Allbery
rra@stanford.edu
Fri, 26 Jul 2013 13:39:22 -0700
Derrick Brashear <shadow@gmail.com> writes:
> Sergio Gelato <Sergio.Gelato@astro.su.se>wrote:
>> I'm compiling my next (and hopefully final) iteration right now.
>> I went for this variant:
>> if (clientbest != (krb5_enctype)ETYPE_NULL &&
>> enctype == (krb5_enctype)ETYPE_NULL) {
>> enctype = clientbest;
>> if (ret_key == NULL)
>> ret = 0;
>> }
>>
> This plus
> [kdc]svc-use-strongest-session-key=true
> Works.
svc-use-strongest-session-key looks like it still tries to find something
in the common subset of supported keys between the client and server, and
legacy aklog sends only des-cbc-crc as its supported keys. So how could
this work? Isn't there still no common subset with a principal that has
no DES keys?
And, in 1.5.2, since the server key is forced to the service key (per
later discussion), if there *is* a DES key for the afs/* principal,
doesn't that result in using a DES long-term key, thus making the update
mostly pointless?
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>