[OpenAFS] permission issue when trying to switch kerberos realms.
Wed, 17 Jan 2018 09:39:53 -0500
On 01/17/2018 05:18 AM, Harald Barth wrote:
> I wrote
>>> I actually don't know how high a kvno can be but up to 32767 (2^15-1)
>>> "feels" safe.
> That was probably WRONG as Sergio pointed out to me.
> Sergio wrote:
>> It doesn't feel all that safe to me. True, RFC 4120 specifies the kvno as
>> UInt32, but https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fk5wiki.kerberos.org%2Fwiki%2FProjects%2FLarger_key_versions&data=01%7C01%7Cbhc%40pitt.edu%7C4257f07ac19a4553cb8208d55d93d632%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1&sdata=YirCxDFnp5GNko1Bg3vlybGPO5tPWbuZdb8vLKE09DM%3D&reserved=0
>> makes interesting reading. Version 1.14 isn't all that old; Debian 8 only
>> has version 1.12.
>> Maybe if one requires rxkad-k5 it's OK to have kvno>255, but back in
>> Kerberos 4 days it definitely wasn't. The OpenAFS code base still contains
>> things like
>> if (kvno > 255)
>> return KAANSWERTOOLONG;
>> (in src/kauth/krb_udp.c) and
>> @t(kvno)@\is a @b(one byte) key identifier associated with the key. It
>> will be included in any ticket created by the AuthServer encrypted with
>> this key.
>> (in src/kauth/AuthServer.mss).
> One byte. Auch.
> So until rxkad-k5 (around the corner - just kidding) we are probably
> stuck with that. So if you want to devide your KVNO space into two
> parts, around 100 for each is what you get :-(
> OpenAFS-info mailing list
University of Pittsburgh/CSSD
Network Operations Center