[OpenAFS] Help rekeying cell when both service principals (afs@REALM and afs/cell@REALM) exist
un, 24 Nov 2013 14:23:16 -0700
> On Thu, 2013-11-21 at 10:34 -0700, Kim Kimball wrote:
> > I don't have direct access to the ancient Transarc clients for testing.
> > Always a wrinkle. I've built some tools for the older platforms but
> > tools for _all_ the ancient *NIX clients are probably not reliably
> > included in that, nor do I expect I will have a build environment on the
> > oldest ... so I may not be able to update all client software to 1.6.5
> > unless I can (miraculously) get OS updates into the mix.
> Note that you don't actually have to upgrade all of OpenAFS on the
> client to get the benefits of the new behavior. You actually only need
> to upgrade aklog and whatever similar tools you're using.
Right. It's the ability to build the newer tools on the antiques (absence of access a/o build environments) that may frustrate the "update the tools only" approach but in at least some cases there is apparently zero chance of an OS update that newer tools could piggy back on. I'll cheerfully take whatever I can get to work.
> > We may just decide to trust anyone on the campus network and shut down
> > access to AFS servers from non campus networks, but I'd rather get at
> > least the rxkad.keytab in place -- servers are all 1.6.5 so at least
> > that much should work if we/I don't do something vile to
> > /usr/afs/etc/KeyFile ... and if I've read the documentation correctly
> > there is at least some significant advantage to getting rid of
> > single-DES private server keys ...
> Yes, there is. These days, DES keys are fairly cheap to brute-force, in
> both time and money (about one day and $100), if you have a
> corresponding plaintext/ciphertext pair. So long-lived server keys are
> an attractive target.
Nice to know I've at least understood that piece.
> -- Jeff
> OpenAFS-info mailing list