[OpenAFS] Help rekeying cell when both service principals
(afs@REALM and afs/cell@REALM) exist
Jeffrey Hutzelman
jhutz@cmu.edu
Sun, 24 Nov 2013 09:53:07 -0500
On Thu, 2013-11-21 at 10:34 -0700, Kim Kimball wrote:
> I don't have direct access to the ancient Transarc clients for testing.
> Always a wrinkle. I've built some tools for the older platforms but
> tools for _all_ the ancient *NIX clients are probably not reliably
> included in that, nor do I expect I will have a build environment on the
> oldest ... so I may not be able to update all client software to 1.6.5
> unless I can (miraculously) get OS updates into the mix.
Note that you don't actually have to upgrade all of OpenAFS on the
client to get the benefits of the new behavior. You actually only need
to upgrade aklog and whatever similar tools you're using.
> We may just decide to trust anyone on the campus network and shut down
> access to AFS servers from non campus networks, but I'd rather get at
> least the rxkad.keytab in place -- servers are all 1.6.5 so at least
> that much should work if we/I don't do something vile to
> /usr/afs/etc/KeyFile ... and if I've read the documentation correctly
> there is at least some significant advantage to getting rid of
> single-DES private server keys ...
Yes, there is. These days, DES keys are fairly cheap to brute-force, in
both time and money (about one day and $100), if you have a
corresponding plaintext/ciphertext pair. So long-lived server keys are
an attractive target.
-- Jeff