[OpenAFS] Re: DES session key after removal of KeyFile

[Andrew Deason]

On Wed, 12 Feb 2014 14:34:09 +0000
Brandon Allbery <ballbery@sinenomine.net> wrote:

> On Wed, 2014-02-12 at 14:20 +0100, Staffan Hämälä wrote:
> > For some reason, we're still getting a DES session key after removing 
> > the KeyFile on all OpenAFS-servers, and touching CellServDB, according 
> > to these instructions:
> > https://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt
> > 
> > Old clients still work even though there is no DES in rxkad.keytab.

Yes, that's expected, unless you take additional actions to disallow
that.

> The session key is unrelated to the existence of DES key material in
> Keyfile or rxkad.keytab; it does however indicate DES keys still exist
> in the KDC and DES is still enabled.

The session key should be generated randomly; it doesn't come from a DES
key in the db. Usually a KDC will determine what session key enctypes
are available from what principal key enctypes are available, but DES is
a special case. DES is always considered to be available as a session
key enctype, unless you specifically disable it on the KDC. For both
Heimdal and MIT I think, the allow_weak_crypto (not allow_weak_enctypes,
unless I have that reversed) option can turn that off. Newer MIT also
has some kadmin commands for changing what session key enctypes are
available on a per-principal basis.

There are some exceptions to the above (which can make this a bit
confusing), see the "Note for Heimdal" in
<https://www.openafs.org/pages/security/how-to-rekey.txt>. And the
configuration knobs and whatnot on AD are completely different, of
course.

-- 
Andrew Deason
adeason@sinenomine.net