On Fri, 2013-11-08 at 10:19 -0600, Andrew Deason wrote: > Part of the protocol that OpenAFS uses for authenticated communication > over the network uses a short-term DES key. Semi-recently, Kerberos > implementations started not allowing DES to be used by default, to > encourage people to not use DES, and to make the usage of DES more > visible. With OpenAFS, you currently do not have a choice, and we must > get a DES key from Kerberos, since that is the only thing the rxkad > protocol allows.
You mean, unless you've upgraded your servers to 1.6.5 or newer, have provisioned them with an rxkad.keytab containing non-DES service keys, and are using a sufficiently recent aklog, such as the one from 1.6.5. When those conditions are satisfied, you still end up using fcrypt, but you don't need Kerberos tickets with DES keys. See OPENAFS-SA-2013-003 for more information. Visit https://www.openafs.org/security/ for a list of OpenAFS security advisories including, in this case, detailed instructions on deploying OpenAFS with non-DES keys. Note that this doesn't change the fact that you are and will be using a relatively weak modified DES for data encryption until rxgk is ready. However, the point of rxkad-kdf is to eliminate the need for the KDC or any part of Kerberos to know or care that you are using DES, which is the cause of the error in question. -- Jeff _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
