On Thu, 2013-07-25 at 09:11 -0400, step...@physics.unc.edu wrote: > Hi, > > In the cell rekeying instructions found at > <http://openafs.org/pages/security/how-to-rekey.txt>, there is a note for > sites using Heimdal KDCs. It mentions a bug present in "certain versions" > of the Heimdal KDC software which completely disables DES on the AFS > service principal when following the document's instructions. > > Is more information available about specific versions of the Heimdal KDC > software which exhibits this bug? The document mentions experimentally > verifying ticket acquisition, which seems wise. But also knowing the KDC > versions which have the bug would be beneficial. > > Anyone have this info? Should I post to a heimdal list instead?
The bug in question essentially means that issued service tickets will always have the same service and session key enctypes, so you must choose between sticking with DES and breaking all existing token-acquiring clients which do not have the new rxkad-kdf code introduced in OpenAFS 1.6.5 and 1.4.15. If I correctly remember my trip through the git repositories on Tuesday evening, the problem was most recently fixed prior to Heimdal 1.5.0, so if you are running that version you should not have a problem. To test, first perform the upgrade as described, but be careful that the new key set includes DES keys. A Heimdal KDC will not issue tickets with DES session keys if the service does not have a DES key in the Kerberos database. Once you've installed the rxkey.keytab files on all of your servers and made the new keys available in the Kerberos database, get fresh tickets and run aklog to get AFS tokens. Then run 'klist -v' and look at the entry for your AFS tickets. If you have an entry like the one below, showing both a non-des "Ticket etype" and a DES "Session key", then everything is working. If it shows only a DES "Ticket etype" and no separate "Session key" line, then your KDC has the bug. Example klist -v output (partial): > Server: a...@cs.cmu.edu > Client: jh...@cs.cmu.edu > Ticket etype: des3-cbc-sha1, kvno 2 > Session key: des-cbc-crc > Ticket length: 237 > Auth time: Jul 25 11:55:20 2013 > Start time: Jul 25 11:55:21 2013 > End time: Jul 26 13:21:41 2013 > Ticket flags: transited-policy-checked, pre-authent, proxiable, forwardable > Addresses: addressless I'm afraid I can't say which all versions are affected. Searching through the tree I was able to find the bug fixed at least twice, once in 1997 and once in 2011. It was first reintroduced sometime in 1998 or 1999, but the comments on the 2011 commit lead me to believe that in the interim, it was at one point fixed and then reintroduced again. So, there are likely at least three ranges of heimdal versions which contain this bug, the most recent of which ends prior to version 1.5.0. [ -- Jeff _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info