[OpenAFS] Heimdal KDC bug mentioned in rekeying document
Derrick Brashear
shadow@gmail.com
Fri, 26 Jul 2013 17:25:09 -0400
--089e0116088401bf0004e270c740
Content-Type: text/plain; charset=ISO-8859-1
On Fri, Jul 26, 2013 at 4:39 PM, Russ Allbery <rra@stanford.edu> wrote:
> Derrick Brashear <shadow@gmail.com> writes:
> > Sergio Gelato <Sergio.Gelato@astro.su.se>wrote:
>
> >> I'm compiling my next (and hopefully final) iteration right now.
> >> I went for this variant:
> >> if (clientbest != (krb5_enctype)ETYPE_NULL &&
> >> enctype == (krb5_enctype)ETYPE_NULL) {
> >> enctype = clientbest;
> >> if (ret_key == NULL)
> >> ret = 0;
> >> }
> >>
>
> > This plus
> > [kdc]svc-use-strongest-session-key=true
>
> > Works.
>
> svc-use-strongest-session-key looks like it still tries to find something
> in the common subset of supported keys between the client and server, and
> legacy aklog sends only des-cbc-crc as its supported keys. So how could
> this work? Isn't there still no common subset with a principal that has
> no DES keys?
>
> There is exactly zero des key for afs in the dementia KDC, and I have the
aklog from 1.6.4.
what ~/aklog.old
/Users/shadow/aklog.old
OpenAFS 1.6.4 built 2013-07-26
and a KDC built from the tip of heimdal git.
Now, there are possibly side effects elsewhere from this given what appears
to happen in the
svc-use-strongest-session-key code path but for the limited testing I have
done thus far they
don't seem to cause any problems.
And, in 1.5.2, since the server key is forced to the service key (per
> later discussion), if there *is* a DES key for the afs/* principal,
> doesn't that result in using a DES long-term key, thus making the update
> mostly pointless?
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
>
--
Derrick
--089e0116088401bf0004e270c740
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Fri, Jul 26, 2013 at 4:39 PM, Russ Allbery <span dir=3D"ltr"><=
;<a href=3D"mailto:rra@stanford.edu" target=3D"_blank">rra@stanford.edu</a>=
></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex">Derrick Brashear <<a h=
ref=3D"mailto:shadow@gmail.com">shadow@gmail.com</a>> writes:<br>
> Sergio Gelato <<a href=3D"mailto:Sergio.Gelato@astro.su.se">Sergio.=
Gelato@astro.su.se</a>>wrote:<br>
<div class=3D"im"><br>
>> I'm compiling my next (and hopefully final) iteration right no=
w.<br>
>> I went for this variant:<br>
>> =A0 =A0 =A0 =A0 if (clientbest !=3D (krb5_enctype)ETYPE_NULL &=
&<br>
>> =A0 =A0 =A0 =A0 =A0 =A0 enctype =3D=3D (krb5_enctype)ETYPE_NULL) {=
<br>
>> =A0 =A0 =A0 =A0 =A0 =A0 enctype =3D clientbest;<br>
>> =A0 =A0 =A0 =A0 =A0 =A0 if (ret_key =3D=3D NULL)<br>
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ret =3D 0;<br>
>> =A0 =A0 =A0 =A0 }<br>
>><br>
<br>
> This plus<br>
> [kdc]svc-use-strongest-session-key=3Dtrue<br>
<br>
> Works.<br>
<br>
</div>svc-use-strongest-session-key looks like it still tries to find somet=
hing<br>
in the common subset of supported keys between the client and server, and<b=
r>
legacy aklog sends only des-cbc-crc as its supported keys. =A0So how could<=
br>
this work? =A0Isn't there still no common subset with a principal that =
has<br>
no DES keys?<br>
<br></blockquote><div>There is exactly zero des key for afs in the dementia=
KDC, and I have the aklog from 1.6.4.<br>=A0what ~/aklog.old<br>/Users/sha=
dow/aklog.old<br>=A0=A0=A0=A0=A0=A0=A0=A0 OpenAFS 1.6.4 built=A0 2013-07-26=
<br></div><div>
and a KDC built from the tip of heimdal git. <br><br></div><div>Now, there =
are possibly side effects elsewhere from this given what appears to happen =
in the <br>svc-use-strongest-session-key code path but for the limited test=
ing I have done thus far they<br>
don't seem to cause any problems.<br></div><div><br></div><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px soli=
d rgb(204,204,204);padding-left:1ex">
And, in 1.5.2, since the server key is forced to the service key (per<br>
later discussion), if there *is* a DES key for the afs/* principal,<br>
doesn't that result in using a DES long-term key, thus making the updat=
e<br>
mostly pointless?<br>
<div class=3D""><div class=3D"h5"><br>
--<br>
Russ Allbery (<a href=3D"mailto:rra@stanford.edu">rra@stanford.edu</a>) =A0=
=A0 =A0 =A0 =A0 =A0 <<a href=3D"http://www.eyrie.org/~eagle/" target=3D=
"_blank">http://www.eyrie.org/~eagle/</a>><br>
</div></div></blockquote></div><br><br clear=3D"all"><br>-- <br>Derrick
</div></div>
--089e0116088401bf0004e270c740--