[OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document

Jeffrey Hutzelman jhutz@cmu.edu
Tue, 30 Jul 2013 21:17:23 -0400


On Tue, 2013-07-30 at 19:44 -0400, Jeffrey Altman wrote:
> On 7/30/2013 7:32 PM, Benjamin Kaduk wrote:
> > On Tue, 30 Jul 2013, Jeffrey Altman wrote:
> > 
> >> This is an incorrect description.  The explicit problem occurs when the
> >> following combination is true:
> >>
> >> 1. user has one or more strong enctype keys with non-default
> >>    password salts
> >>
> >> 2. the only keys with default password salts are weak enctypes
> >>
> >> 3. preauth is required
> > 
> > A bit off-topic (and feel free to go off-list), but I'm curious if there
> > is anything that can be said in general to be a cause for the presence
> > of non-default salts.
> > 
> > Thanks,
> > 
> > Ben
> 
> Realm or principal renaming without updating the keys.  This is not
> specific to Heimdal.

Also, some realms contain keys that date back to when they were running
krb4; these have non-default salts, according to krb5's way of thinking.