It's fixed.
Ben
On 01/17/2018 05:18 AM, Harald Barth wrote:
I wrote
I actually don't know how high a kvno can be but up to 32767 (2^15-1)
"feels" safe.
That was probably WRONG as Sergio pointed out to me.
Sergio wrote:
It doesn't feel all that safe to me. True, RFC 4120 specifies the kvno as
UInt32, but
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fk5wiki.kerberos.org%2Fwiki%2FProjects%2FLarger_key_versions&data=01%7C01%7Cbhc%40pitt.edu%7C4257f07ac19a4553cb8208d55d93d632%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1&sdata=YirCxDFnp5GNko1Bg3vlybGPO5tPWbuZdb8vLKE09DM%3D&reserved=0
makes interesting reading. Version 1.14 isn't all that old; Debian 8 only
has version 1.12.
Maybe if one requires rxkad-k5 it's OK to have kvno>255, but back in
Kerberos 4 days it definitely wasn't. The OpenAFS code base still contains
things like
if (kvno > 255)
return KAANSWERTOOLONG;
(in src/kauth/krb_udp.c) and
@t(kvno)@\is a @b(one byte) key identifier associated with the key. It
will be included in any ticket created by the AuthServer encrypted with
this key.
(in src/kauth/AuthServer.mss).
One byte. Auch.
So until rxkad-k5 (around the corner - just kidding) we are probably
stuck with that. So if you want to devide your KVNO space into two
parts, around 100 for each is what you get :-(
Harald.
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.openafs.org%2Fmailman%2Flistinfo%2Fopenafs-info&data=01%7C01%7Cbhc%40pitt.edu%7C4257f07ac19a4553cb8208d55d93d632%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1&sdata=0hQeF%2BtVEFqNrf6SIXFQRpRowXKGX1z1NrJEfm51Fj4%3D&reserved=0
--
Ben Carter
University of Pittsburgh/CSSD
Network Operations Center
b...@pitt.edu
412-624-6470
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
