[OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document
Wed, 31 Jul 2013 07:28:50 +0200 (CEST)
> This is an incorrect description.
That might very well be, but I thought it was better than nothing
because others who are in trouble might want to know that they are not
> The explicit problem occurs when the
> following combination is true:
> 1. user has one or more strong enctype keys with non-default
> password salts
> 2. the only keys with default password salts are weak enctypes
I don't know how the user would have ended up with that combination
and I don't know how the enctype list looked before the user was told
to change password.
> 3. preauth is required
As 1.5.x seems to have the bug that you can't turn it off, yes of
> In this combination, the strong enctype with the non-default password
> salt will not be recommended to the client in the pa-etype-info or
> pa-etype-info2 data sent with the preauth required error reply.
And what would happen if there is no strong enctype at all?
> Since no pa-etype hint was provided the client chooses its preferred
> enctype which is aes256.
> A correction has been prepared and will be submitted after testing.