[OpenAFS] Done the rekeying of my cell, but unpatched clients still works

Jose Manuel dos Santos Calhariz jose.calhariz@netvisao.pt
Thu, 09 Jan 2014 19:11:28 +0000

On 08-01-2014 18:49, Jeffrey Altman wrote:
> On 1/8/2014 1:11 PM, Jose Manuel dos Santos Calhariz wrote:
>> I have a cell of OpenAFS and a kerberos5 realm for tests.  I have done
>> the re-keying
>> of afs/celname@REALMNAME as explained in
>> http://openafs.org/pages/security/install-rxkad-k5-1.6.txt
>> http://openafs.org/pages/security/how-to-rekey.txt
>> But I have made some mistake somewhere, because when I test with
>> unpatched clients
>> 1.4.x they still authenticate.
> The only situation in which older clients would not authenticate are:
>   1. the Kerberos v5 KDC is configured to not issue DES session keys.
>      The session key is different from the long term AFS service key
>      that you replaced.

I commented the line "allow_weak_crypto = true" in
/etc/krb5kdc/kdc.conf.  Now the unpatched client don't work, as I

>   2. the client Kerberos contains a bug that results in the client
>      core dumping if an service key enctype is used that is not
>      recognized by the client.  Such a client would need to be really
>      really old.