[OpenAFS] Re: aklog error: unknown RPC error (-1765328184) while getting AFS tickets allow_weak_enctypes may be required in the Kerberos configuration

Andrew Deason adeason@sinenomine.net
Fri, 8 Nov 2013 10:19:45 -0600 

On Thu, 7 Nov 2013 22:16:43 +0000
Greg Wilson <Greg.Wilson@asu.edu> wrote:

> Kerberos error code returned by get_cred : -1765328184
> aklog: Couldn't get asu.edu AFS tickets:
> aklog: unknown RPC error (-1765328184) while getting AFS tickets allow_weak_enctypes may be required in the Kerberos configuration

As you already know, the option is actually allow_weak_crypto. This
error message is wrong, and was fixed in OpenAFS 1.6.2.

Also, are you running the binaries from openafs.org, or from where did
you get your binaries? If 'aklog' is built on RHEL6 (or any
sufficiently-modern libkrb5), you shouldn't get this error message,
since aklog can turn on this option for itself, instead of needing to
alter the system configuration.

> As the error suggests, adding "allow_weak_crypto = true" to krb5.conf
> makes the errors go away.
> 
> Can someone tell me what the security ramifications of this are?

Part of the protocol that OpenAFS uses for authenticated communication
over the network uses a short-term DES key. Semi-recently, Kerberos
implementations started not allowing DES to be used by default, to
encourage people to not use DES, and to make the usage of DES more
visible. With OpenAFS, you currently do not have a choice, and we must
get a DES key from Kerberos, since that is the only thing the rxkad
protocol allows.

(Using non-DES session keys is part of the rxgk project in progress,
which you can read about in other places. Note that using short-term DES
session keys is different in terms of security ramifications from using
long-term DES keys, which is what was fixed in 1.6.5.)

So, the security ramifications of turning that on are that programs
using libkrb5 and that use DES will work, and you may not be aware that
they are using DES. As mentioned above, aklog has the ability to turn
this option on automatically just for aklog, so it doesn't impact the
rest of the system.

-- 
Andrew Deason
adeason@sinenomine.net