On 08-01-2014 18:49, Jeffrey Altman wrote:
On 1/8/2014 1:11 PM, Jose Manuel dos Santos Calhariz wrote:
I have a cell of OpenAFS and a kerberos5 realm for tests. I have done
the re-keying
of afs/celname@REALMNAME as explained in
http://openafs.org/pages/security/install-rxkad-k5-1.6.txt
http://openafs.org/pages/security/how-to-rekey.txt
But I have made some mistake somewhere, because when I test with
unpatched clients
1.4.x they still authenticate.
The only situation in which older clients would not authenticate are:
1. the Kerberos v5 KDC is configured to not issue DES session keys.
The session key is different from the long term AFS service key
that you replaced.
I commented the line "allow_weak_crypto = true" in
/etc/krb5kdc/kdc.conf. Now the unpatched client don't work, as I
expected.
2. the client Kerberos contains a bug that results in the client
core dumping if an service key enctype is used that is not
recognized by the client. Such a client would need to be really
really old.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
