[OpenAFS] Heimdal KDC bug mentioned in rekeying document

Derrick Brashear shadow@gmail.com
Fri, 26 Jul 2013 17:25:09 -0400


--089e0116088401bf0004e270c740
Content-Type: text/plain; charset=ISO-8859-1

On Fri, Jul 26, 2013 at 4:39 PM, Russ Allbery <rra@stanford.edu> wrote:

> Derrick Brashear <shadow@gmail.com> writes:
> > Sergio Gelato <Sergio.Gelato@astro.su.se>wrote:
>
> >> I'm compiling my next (and hopefully final) iteration right now.
> >> I went for this variant:
> >>         if (clientbest != (krb5_enctype)ETYPE_NULL &&
> >>             enctype == (krb5_enctype)ETYPE_NULL) {
> >>             enctype = clientbest;
> >>             if (ret_key == NULL)
> >>                 ret = 0;
> >>         }
> >>
>
> > This plus
> > [kdc]svc-use-strongest-session-key=true
>
> > Works.
>
> svc-use-strongest-session-key looks like it still tries to find something
> in the common subset of supported keys between the client and server, and
> legacy aklog sends only des-cbc-crc as its supported keys.  So how could
> this work?  Isn't there still no common subset with a principal that has
> no DES keys?
>
> There is exactly zero des key for afs in the dementia KDC, and I have the
aklog from 1.6.4.
 what ~/aklog.old
/Users/shadow/aklog.old
         OpenAFS 1.6.4 built  2013-07-26
and a KDC built from the tip of heimdal git.

Now, there are possibly side effects elsewhere from this given what appears
to happen in the
svc-use-strongest-session-key code path but for the limited testing I have
done thus far they
don't seem to cause any problems.

And, in 1.5.2, since the server key is forced to the service key (per
> later discussion), if there *is* a DES key for the afs/* principal,
> doesn't that result in using a DES long-term key, thus making the update
> mostly pointless?
>
> --
> Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
>



-- 
Derrick

--089e0116088401bf0004e270c740
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Fri, Jul 26, 2013 at 4:39 PM, Russ Allbery <span dir=3D"ltr">&lt=
;<a href=3D"mailto:rra@stanford.edu" target=3D"_blank">rra@stanford.edu</a>=
&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex">Derrick Brashear &lt;<a h=
ref=3D"mailto:shadow@gmail.com">shadow@gmail.com</a>&gt; writes:<br>
&gt; Sergio Gelato &lt;<a href=3D"mailto:Sergio.Gelato@astro.su.se">Sergio.=
Gelato@astro.su.se</a>&gt;wrote:<br>
<div class=3D"im"><br>
&gt;&gt; I&#39;m compiling my next (and hopefully final) iteration right no=
w.<br>
&gt;&gt; I went for this variant:<br>
&gt;&gt; =A0 =A0 =A0 =A0 if (clientbest !=3D (krb5_enctype)ETYPE_NULL &amp;=
&amp;<br>
&gt;&gt; =A0 =A0 =A0 =A0 =A0 =A0 enctype =3D=3D (krb5_enctype)ETYPE_NULL) {=
<br>
&gt;&gt; =A0 =A0 =A0 =A0 =A0 =A0 enctype =3D clientbest;<br>
&gt;&gt; =A0 =A0 =A0 =A0 =A0 =A0 if (ret_key =3D=3D NULL)<br>
&gt;&gt; =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ret =3D 0;<br>
&gt;&gt; =A0 =A0 =A0 =A0 }<br>
&gt;&gt;<br>
<br>
&gt; This plus<br>
&gt; [kdc]svc-use-strongest-session-key=3Dtrue<br>
<br>
&gt; Works.<br>
<br>
</div>svc-use-strongest-session-key looks like it still tries to find somet=
hing<br>
in the common subset of supported keys between the client and server, and<b=
r>
legacy aklog sends only des-cbc-crc as its supported keys. =A0So how could<=
br>
this work? =A0Isn&#39;t there still no common subset with a principal that =
has<br>
no DES keys?<br>
<br></blockquote><div>There is exactly zero des key for afs in the dementia=
 KDC, and I have the aklog from 1.6.4.<br>=A0what ~/aklog.old<br>/Users/sha=
dow/aklog.old<br>=A0=A0=A0=A0=A0=A0=A0=A0 OpenAFS 1.6.4 built=A0 2013-07-26=
 <br></div><div>
and a KDC built from the tip of heimdal git. <br><br></div><div>Now, there =
are possibly side effects elsewhere from this given what appears to happen =
in the <br>svc-use-strongest-session-key code path but for the limited test=
ing I have done thus far they<br>
don&#39;t seem to cause any problems.<br></div><div><br></div><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px soli=
d rgb(204,204,204);padding-left:1ex">
And, in 1.5.2, since the server key is forced to the service key (per<br>
later discussion), if there *is* a DES key for the afs/* principal,<br>
doesn&#39;t that result in using a DES long-term key, thus making the updat=
e<br>
mostly pointless?<br>
<div class=3D""><div class=3D"h5"><br>
--<br>
Russ Allbery (<a href=3D"mailto:rra@stanford.edu">rra@stanford.edu</a>) =A0=
 =A0 =A0 =A0 =A0 =A0 &lt;<a href=3D"http://www.eyrie.org/~eagle/" target=3D=
"_blank">http://www.eyrie.org/~eagle/</a>&gt;<br>
</div></div></blockquote></div><br><br clear=3D"all"><br>-- <br>Derrick
</div></div>

--089e0116088401bf0004e270c740--