On Fri, Oct 5, 2012 at 11:23 AM, Benjamin Kaduk <[email protected]> wrote:
> > You can limit your exposure by having the afs/cell@realm principal be the > only principal in the database with a single DES key. The default_enctypes > do not need to include single-DES, and you can safely make both user > principals and krbtgt/realm have no weak keys, the weak crypto will only be > used to obtain an afs service ticket (and the corresponding token). Are you absolutely sure this is true? I have vague recollections that you need single DES keys on the krbtgt key to get single DES tickets. But it's late and I haven't had lunch yet so I may be misremembering. > I would expect that completely removing single DES (with the exception of > AFS) would require a year or more to transition fully, in a large > deployment. > I'm puzzled here as well. Once you remove them offending service keys from the KDC, isn't the process more or less done? I know in hiemdal at least that it's trivial to remove just a specific enctype from a service principal w/o affecting the rest of the keys. - Booker C. Bense _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
