Re: [OpenAFS] Done the rekeying of my cell, but unpatched clients still works

[Brandon Allbery]

On Wed, 2014-01-08 at 18:11 +0000, Jose Manuel dos Santos Calhariz
wrote:
> I have a cell of OpenAFS and a kerberos5 realm for tests.  I have done 
> the re-keying
> of afs/celname@REALMNAME as explained in
> 
> http://openafs.org/pages/security/install-rxkad-k5-1.6.txt
> http://openafs.org/pages/security/how-to-rekey.txt
> 
> But I have made some mistake somewhere, because when I test with 
> unpatched clients
> 1.4.x they still authenticate.

Have you done the rxkad-kdf part as well? The first part just upgrades
the server connection; clients continue to use the KeyFile and DES-based
authentication. rxkad-kdf enables client authentication to newer
enctypes as well; then you can disable the DES key, which is what
disables older clients. (As long as the DES key still exists in the KDC
and the KeyFile, older clients will continue to work.)

-- 
brandon s allbery kf8nh                           sine nomine associates
allber...@gmail.com                              ballb...@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad    http://sinenomine.net

:��T���&j)b�   b�өzpJ)ߢ�^��좸!��l��b��(���~�+����Y���b�ا~�����~ȧ~