On 1/9/2014 2:11 PM, Jose Manuel dos Santos Calhariz wrote: > On 08-01-2014 18:49, Jeffrey Altman wrote: >> On 1/8/2014 1:11 PM, Jose Manuel dos Santos Calhariz wrote: >>> I have a cell of OpenAFS and a kerberos5 realm for tests. I have done >>> the re-keying >>> of afs/celname@REALMNAME as explained in >>> >>> http://openafs.org/pages/security/install-rxkad-k5-1.6.txt >>> http://openafs.org/pages/security/how-to-rekey.txt >>> >>> But I have made some mistake somewhere, because when I test with >>> unpatched clients >>> 1.4.x they still authenticate. >> The only situation in which older clients would not authenticate are: >> >> 1. the Kerberos v5 KDC is configured to not issue DES session keys. >> The session key is different from the long term AFS service key >> that you replaced. > > I commented the line "allow_weak_crypto = true" in > /etc/krb5kdc/kdc.conf. Now the unpatched client don't work, as I > expected.
I just want to ensure that you understand that doing so does not make the security of AFS any stronger. All it does it prevent old clients from working.
smime.p7s
Description: S/MIME Cryptographic Signature
