[OpenAFS] Done the rekeying of my cell, but unpatched clients still works

Benjamin Kaduk kaduk@MIT.EDU
Wed, 8 Jan 2014 13:13:32 -0500 (EST)


On Wed, 8 Jan 2014, Jose Manuel dos Santos Calhariz wrote:

> I have a cell of OpenAFS and a kerberos5 realm for tests.  I have done the 
> re-keying
> of afs/celname@REALMNAME as explained in
>
> http://openafs.org/pages/security/install-rxkad-k5-1.6.txt
> http://openafs.org/pages/security/how-to-rekey.txt
>
> But I have made some mistake somewhere, because when I test with unpatched 
> clients
> 1.4.x they still authenticate.

Isn't this a feature, not a bug?

The actual on-the-wire crypto is unchanged from the 1.4 era (much earlier, 
really); the real security benefit is gained on the server side.

-Ben Kaduk