I wrote >>I actually don't know how high a kvno can be but up to 32767 (2^15-1) >>"feels" safe.
That was probably WRONG as Sergio pointed out to me. Sergio wrote: > It doesn't feel all that safe to me. True, RFC 4120 specifies the kvno as > UInt32, but https://k5wiki.kerberos.org/wiki/Projects/Larger_key_versions > makes interesting reading. Version 1.14 isn't all that old; Debian 8 only > has version 1.12. > > Maybe if one requires rxkad-k5 it's OK to have kvno>255, but back in > Kerberos 4 days it definitely wasn't. The OpenAFS code base still contains > things like > if (kvno > 255) > return KAANSWERTOOLONG; > (in src/kauth/krb_udp.c) and > @t(kvno)@\is a @b(one byte) key identifier associated with the key. It > will be included in any ticket created by the AuthServer encrypted with > this key. > (in src/kauth/AuthServer.mss). One byte. Auch. So until rxkad-k5 (around the corner - just kidding) we are probably stuck with that. So if you want to devide your KVNO space into two parts, around 100 for each is what you get :-( Harald. _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
