On Fri, Aug 22, 2008 at 10:55:09AM -0500, Douglas E. Engert wrote: > You may want to ask the question on the openafs-info list, > as to who is still using the AFS string to key, and if anyone > want to use your KDC with it.
Okay. > Note that RFC 4120 section 7.5.2. PreAuthentication Data Types > defines: PA-AFS3-SALT 10 > So you may want to keep it, at least on the client side. Potentially, but we are not testing it which is risky. So if we decide to officially support it we need to weight the additional development cost. > Will Fiveash wrote: > > I'm wondering what the best solution is in regards to OpenSolaris krb > > handling the afs3 salt type. Our kdc.conf man page states that only the > > normal salt type is supported and there is a bug CR relating to this: > > > > 6734142 krb should only accept the normal salt type > > > > in which I write: > > > > I researched this and from the MIT krb5 sysadmin guide: > > > > http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Salts.html > > > > afs3 > > AFS version 3, only used for compatibility with Kerberos 4 in AFS > > > > Since we do not support krb4 I'm going to change this CR to a RFE > > and the code change will be to return an error for any unsupported > > salt types which basically means any type other than normal. > > other then normal? Normal, realm, V4, etc are terms used by the KDC. > > Do you mean KRB5_PADATA_PW_SALT (in 4120 as PA-PW-SALT) vs > KRB5_PADATA_AFS3_SALT (PA-AFS3-SALT)? I was thinking about the kadmin -e "enctype:salt" argument that: Override the list of enctype:salttype pairs given in kdc.conf(4) for setting the key of the principal. The quotes are necessary if there are multiple enctype:salttype pairs. One key for each similar enctype and same salttype will be created and the first one listed will be used. For example, in a list of two similar enctypes with the same salt, "des-cbc-crc:normal des-cbc-md5:normal", one key will be created and it will be of type des-cbc- crc:normal. I was proposing that OS kadmin return an error for any salt type other than "normal". Note in the OS (and MIT) krb code there is this table in str_conv.c: /* * Lookup tables. */ #include <krb5/kdb.h> static const struct salttype_lookup_entry salttype_table[] = { /* salt type input specifier output string */ /*----------------------------- --------------- ---------------*/ { KRB5_KDB_SALTTYPE_NORMAL, "normal", "Version 5" }, { KRB5_KDB_SALTTYPE_V4, "v4", "Version 4" }, { KRB5_KDB_SALTTYPE_NOREALM, "norealm", "Version 5 - No Realm" }, { KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", "Version 5 - Realm Only" }, { KRB5_KDB_SALTTYPE_SPECIAL, "special", "Special" }, { KRB5_KDB_SALTTYPE_AFS3, "afs3", "AFS version 3" } }; Officially OS krb only supports "normal". > > What now worries me is this older e-mail I found to kerberos at mit.edu: > > > > Date: Mon, 10 Dec 2007 09:47:05 -0600 > > From: John Tang Boyland <boyland at cs.uwm.edu> > > Subject: Using AFS salt with Solaris and MIT (Was Re: Kerberos Digest, > > Vol 60, > > Issue 9) > > To: kerberos at mit.edu > > Cc: Jeff Blaine <jblaine at kickflop.net> > > > > We just installed Solaris 10 on our intel box and found out > > that the Sun-supplied pam_krb5 (as well as kinit) seg fault > > when given a principal with AFS3 salt. The server is MIT krb1.5.4 > > patched. > > It seg faults before asking for a password. Workaround? Use MIT > > kinit. Other workaround? Ask users to "change" passwords, where > > they don't actually need to use a new password... > > > > John > > ________________________________________________ > > Kerberos mailing list Kerberos at mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > Given OpenSolaris krb may be interacting with KDC's that support princs > > with a afs3 salt type, should we support it as a valid argument to > > kadmin and other utilities? Note that OS krb does not support the krb > > v4 protocol at all. > > OpenAFS is moving to use K5, so not having K4 should not be an issue. > The aklog program with OpenAFS uses K5 tickets to generate a AFS token, > where the encrypted part of the K5 ticket is passed in the AFS token. Does this imply that OpenAFS will not require a afs3 salt type when it moves to krbv5? If so, that weakens the argument for OS krb supporting it. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/
