Derrick Brashear <[email protected]> writes:
> Sergio Gelato <[email protected]>wrote:
>> I'm compiling my next (and hopefully final) iteration right now.
>> I went for this variant:
>> if (clientbest != (krb5_enctype)ETYPE_NULL &&
>> enctype == (krb5_enctype)ETYPE_NULL) {
>> enctype = clientbest;
>> if (ret_key == NULL)
>> ret = 0;
>> }
>>
> This plus
> [kdc]svc-use-strongest-session-key=true
> Works.
svc-use-strongest-session-key looks like it still tries to find something
in the common subset of supported keys between the client and server, and
legacy aklog sends only des-cbc-crc as its supported keys. So how could
this work? Isn't there still no common subset with a principal that has
no DES keys?
And, in 1.5.2, since the server key is forced to the service key (per
later discussion), if there *is* a DES key for the afs/* principal,
doesn't that result in using a DES long-term key, thus making the update
mostly pointless?
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
