[OpenAFS] Done the rekeying of my cell, but unpatched clients
still works
Jose Manuel dos Santos Calhariz
jose.calhariz@netvisao.pt
Thu, 09 Jan 2014 19:11:28 +0000
On 08-01-2014 18:49, Jeffrey Altman wrote:
> On 1/8/2014 1:11 PM, Jose Manuel dos Santos Calhariz wrote:
>> I have a cell of OpenAFS and a kerberos5 realm for tests. I have done
>> the re-keying
>> of afs/celname@REALMNAME as explained in
>>
>> http://openafs.org/pages/security/install-rxkad-k5-1.6.txt
>> http://openafs.org/pages/security/how-to-rekey.txt
>>
>> But I have made some mistake somewhere, because when I test with
>> unpatched clients
>> 1.4.x they still authenticate.
> The only situation in which older clients would not authenticate are:
>
> 1. the Kerberos v5 KDC is configured to not issue DES session keys.
> The session key is different from the long term AFS service key
> that you replaced.
I commented the line "allow_weak_crypto = true" in
/etc/krb5kdc/kdc.conf. Now the unpatched client don't work, as I
expected.
>
> 2. the client Kerberos contains a bug that results in the client
> core dumping if an service key enctype is used that is not
> recognized by the client. Such a client would need to be really
> really old.
>
>
>