On Thu, 01 Aug 2013 12:30:39 -0400 Jeffrey Altman <[email protected]> wrote:
> You can run "rxdebug <addr> 7001 -ver" to get the version string from > the client. However, that will only tell you the cache manager > version. It won't tell you if pam, afslog, or other tools that can > acquire tokens are capable of rxkad-kdf. Nor does it tell you if the > client krb5.conf configuration will permit the use of non-DES keys. I think you can detect this by seeing what clients are asking for DES session keys only, though, as only older clients should be doing that. I'm not sure if any KDCs will log that information, but you could at least get it by sniffing wire traffic. (That is, traffic to the KDCs; you can't do anything on the openafs servers for this.) But of course, if you have an old pam module/aklog/etc, that will only detect it when the old binary is actually used to obtain tokens. > > Thanks to all those of you involved in finally getting rid of 1DES > > and for the excellent documentation, > > The rxkad-kdf change does not get rid of 1DES. It simply permits the > afs cell key to be a non-1DES key. All wire encryption and the actual > rxkad challenge/response is still performed using 1DES. Perhaps to say it more explicitly, rxkad-kdf does not make our security any "better" over rxkad-k5 in terms of crypto. All it does is allow you to say "I've turned off single DES completely on the KDC", and have AFS still work. That is arguably improved security from a policy standpoint and such, but as far as the crypto we actually use on the wire, everything is of exactly the same strength between rxkad-kdf and rxkad-k5. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
