Re: Bug#629276: NFS needs same dispensation to use DES as AFS
* Philipp Kern [2011-06-17 19:07:35 +0200]:
> Brian,
>
> On Thu, Jun 09, 2011 at 11:07:50AM +1000, Brian May wrote:
> > Would be willing to accept a new version of Heimdal in a point release
> > of Debian?
>
> sorry for taking so much time for coming back to you.
>
> > > Without this patch, the KDC rejects AS requests that specify DES enctypes
> > > with "krb5_crypto_init failed: encryption type (1|2|3) not supported"
> > > (illustrating another oddity, namely that krb5_crypto_init() uses the
> > > same error message whether the enctype is unknown or known but disabled;
> > > krb5_enctype_valid() has two distinct error messages) and TGS requests
> > > result in "Server (nfs/f.q.d.n) has no support for etypes" (also in the
> > > KDC's log). The client did have [libdefaults]allow_weak_crypto=true, as
> > > shown by the fact that the AS and TGS requests asked for a DES enctype.
>
> And it's only possible to reactivate that enctype by patching the KDC?
> I would've assumed that it's just a configuration matter on the KDC
> side. (Like it's the case with MIT Kerberos where you have to adjust
> "supported_enctypes".)
It is true that you can enable the enctypes for all principals by adding
[libdefaults]
allow_weak_crypto = true
to /etc/heimdal-kdc/kdc.conf, but that's a very blunt tool since only a
few principals still need an exemption from the "no DES" policy. For my
own operations I'll definitely stick with my patch. A more universal
solution would be to make the exception list configurable without
recompiling the KDC, but that has to be balanced against the likely
complexity of such a change.
Reply to: