On 8/1/2013 12:12 PM, Christian wrote: > All, > > this might have come up before, but I wasn't able to find it. > > Given the need to upgrade all clients to fully get rid of 1des, is there > a way to do an inventory of client versions on a subnet, either by some > sort of scan, or by looking at server logs?
You can run "rxdebug <addr> 7001 -ver" to get the version string from the client. However, that will only tell you the cache manager version. It won't tell you if pam, afslog, or other tools that can acquire tokens are capable of rxkad-kdf. Nor does it tell you if the client krb5.conf configuration will permit the use of non-DES keys. > Thanks to all those of you involved in finally getting rid of 1DES and > for the excellent documentation, The rxkad-kdf change does not get rid of 1DES. It simply permits the afs cell key to be a non-1DES key. All wire encryption and the actual rxkad challenge/response is still performed using 1DES. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
