Re: [OpenAFS] Heimdal KDC bug mentioned in rekeying document

2013-07-26 Thread Ragnar Sundblad
On 26 jul 2013, at 10:57, Sergio Gelato sergio.gel...@astro.su.se wrote: * Andrew Deason [2013-07-25 14:35:58 -0500]: On Thu, 25 Jul 2013 15:22:50 -0400 (EDT) Benjamin Kaduk ka...@mit.edu wrote: On Thu, 25 Jul 2013, Sergio Gelato wrote: I've been poking a bit into this. First of all,

Re: [OpenAFS] Heimdal KDC bug mentioned in rekeying document

2013-07-26 Thread Sergio Gelato
* Ragnar Sundblad [2013-07-26 11:43:57 +0200]: On 26 jul 2013, at 10:57, Sergio Gelato sergio.gel...@astro.su.se wrote: Secondly, the following patch is required: --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -183,9 +183,10 @@ } } if (clientbest !=

Re: [OpenAFS] Heimdal KDC bug mentioned in rekeying document

2013-07-26 Thread Ragnar Sundblad
On 26 jul 2013, at 12:18, Sergio Gelato sergio.gel...@astro.su.se wrote: * Ragnar Sundblad [2013-07-26 11:43:57 +0200]: On 26 jul 2013, at 10:57, Sergio Gelato sergio.gel...@astro.su.se wrote: Secondly, the following patch is required: --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@

Re: [OpenAFS] Heimdal KDC bug mentioned in rekeying document

2013-07-26 Thread Sergio Gelato
* Ragnar Sundblad [2013-07-26 13:01:00 +0200]: I believe you should change the test to also check that ret_key == NULL: if (clientbest != ETYPE_NULL enctype == ETYPE_NUL ret_key == NULL) { enctype = clientbest; ret = 0; } since if there is no common

Re: [OpenAFS] Heimdal KDC bug mentioned in rekeying document

2013-07-26 Thread Derrick Brashear
On Fri, Jul 26, 2013 at 7:33 AM, Sergio Gelato sergio.gel...@astro.su.sewrote: * Ragnar Sundblad [2013-07-26 13:01:00 +0200]: I believe you should change the test to also check that ret_key == NULL: if (clientbest != ETYPE_NULL enctype == ETYPE_NUL ret_key == NULL) {

Re: [OpenAFS] Heimdal KDC bug mentioned in rekeying document

2013-07-26 Thread Russ Allbery
Derrick Brashear sha...@gmail.com writes: Sergio Gelato sergio.gel...@astro.su.sewrote: I'm compiling my next (and hopefully final) iteration right now. I went for this variant: if (clientbest != (krb5_enctype)ETYPE_NULL enctype == (krb5_enctype)ETYPE_NULL) {

Re: [OpenAFS] Heimdal KDC bug mentioned in rekeying document

2013-07-26 Thread Derrick Brashear
On Fri, Jul 26, 2013 at 4:39 PM, Russ Allbery r...@stanford.edu wrote: Derrick Brashear sha...@gmail.com writes: Sergio Gelato sergio.gel...@astro.su.sewrote: I'm compiling my next (and hopefully final) iteration right now. I went for this variant: if (clientbest !=

[OpenAFS] Heimdal KDC bug mentioned in rekeying document

2013-07-25 Thread stephen
Hi, In the cell rekeying instructions found at http://openafs.org/pages/security/how-to-rekey.txt, there is a note for sites using Heimdal KDCs. It mentions a bug present in certain versions of the Heimdal KDC software which completely disables DES on the AFS service principal when following

Re: [OpenAFS] Heimdal KDC bug mentioned in rekeying document

2013-07-25 Thread Jeffrey Hutzelman
On Thu, 2013-07-25 at 09:11 -0400, step...@physics.unc.edu wrote: Hi, In the cell rekeying instructions found at http://openafs.org/pages/security/how-to-rekey.txt, there is a note for sites using Heimdal KDCs. It mentions a bug present in certain versions of the Heimdal KDC software