On Thu, 25 Jul 2013, Benjamin Kaduk wrote:
Some versions of Heimdal have a KDC bug wherein the ticket enctype is always
the same as the session key enctype; in these cases the DES key is needed in
the rxkad.keytab (and the KeyFile).
Forgive me if I'm missing an obvious answer, but in this situation, is the
cell still vulnerable to the DES attack we're attempting to remediate?
In all other cases, you should not have
the DES key in the rxkad.keytab or KeyFile. You can check whether your
Heimdal KDC has this bug by using a DES-only client (with
default_tgs_enctypes in krb5.conf, if needed) to request a service ticket
(say, with kgetcred) for a service that has a non-DES key in the KDB. If
'klist -v' shows the Ticket etype as being des (as well as the sesion etype),
then the KDC is buggy.
-Ben
Cheers,
Stephen
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
