On Thu, 7 Nov 2013 22:16:43 +0000 Greg Wilson <greg.wil...@asu.edu> wrote:
> Kerberos error code returned by get_cred : -1765328184 > aklog: Couldn't get asu.edu AFS tickets: > aklog: unknown RPC error (-1765328184) while getting AFS tickets > allow_weak_enctypes may be required in the Kerberos configuration As you already know, the option is actually allow_weak_crypto. This error message is wrong, and was fixed in OpenAFS 1.6.2. Also, are you running the binaries from openafs.org, or from where did you get your binaries? If 'aklog' is built on RHEL6 (or any sufficiently-modern libkrb5), you shouldn't get this error message, since aklog can turn on this option for itself, instead of needing to alter the system configuration. > As the error suggests, adding "allow_weak_crypto = true" to krb5.conf > makes the errors go away. > > Can someone tell me what the security ramifications of this are? Part of the protocol that OpenAFS uses for authenticated communication over the network uses a short-term DES key. Semi-recently, Kerberos implementations started not allowing DES to be used by default, to encourage people to not use DES, and to make the usage of DES more visible. With OpenAFS, you currently do not have a choice, and we must get a DES key from Kerberos, since that is the only thing the rxkad protocol allows. (Using non-DES session keys is part of the rxgk project in progress, which you can read about in other places. Note that using short-term DES session keys is different in terms of security ramifications from using long-term DES keys, which is what was fixed in 1.6.5.) So, the security ramifications of turning that on are that programs using libkrb5 and that use DES will work, and you may not be aware that they are using DES. As mentioned above, aklog has the ability to turn this option on automatically just for aklog, so it doesn't impact the rest of the system. -- Andrew Deason adea...@sinenomine.net _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info