On Wed, 12 Feb 2014 14:34:09 +0000 Brandon Allbery <[email protected]> wrote:
> On Wed, 2014-02-12 at 14:20 +0100, Staffan Hämälä wrote: > > For some reason, we're still getting a DES session key after removing > > the KeyFile on all OpenAFS-servers, and touching CellServDB, according > > to these instructions: > > https://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt > > > > Old clients still work even though there is no DES in rxkad.keytab. Yes, that's expected, unless you take additional actions to disallow that. > The session key is unrelated to the existence of DES key material in > Keyfile or rxkad.keytab; it does however indicate DES keys still exist > in the KDC and DES is still enabled. The session key should be generated randomly; it doesn't come from a DES key in the db. Usually a KDC will determine what session key enctypes are available from what principal key enctypes are available, but DES is a special case. DES is always considered to be available as a session key enctype, unless you specifically disable it on the KDC. For both Heimdal and MIT I think, the allow_weak_crypto (not allow_weak_enctypes, unless I have that reversed) option can turn that off. Newer MIT also has some kadmin commands for changing what session key enctypes are available on a per-principal basis. There are some exceptions to the above (which can make this a bit confusing), see the "Note for Heimdal" in <https://www.openafs.org/pages/security/how-to-rekey.txt>. And the configuration knobs and whatnot on AD are completely different, of course. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
