On Wed, 2014-02-12 at 14:20 +0100, Staffan Hämälä wrote: > For some reason, we're still getting a DES session key after removing > the KeyFile on all OpenAFS-servers, and touching CellServDB, according > to these instructions: > https://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt > > Old clients still work even though there is no DES in rxkad.keytab.
The session key is unrelated to the existence of DES key material in Keyfile or rxkad.keytab; it does however indicate DES keys still exist in the KDC and DES is still enabled. Unfortunately removing that key material from the KDC may be difficult especially in MIT Kerberos where it may require dumping the afs principal, hand editing, and loading the result (and this requires understanding the MIT dump format). But you don't need to necessarily remove it; instead you should be able to set allow_weak_enctypes to false in /etc/krb5.conf on the KDC and then restart the KDC. Most existing KDCs will not generate DES session keys if they do not have or can not use a DES service key, regardless of whether they are issuing a DES service key or some other enctype. (My current best understanding at least.) -- brandon s allbery kf8nh sine nomine associates [email protected] [email protected] unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
