Package: heimdal-kdc
Version: 1.4.0~git20100726.dfsg.1-1
Tags: patch
Recent Heimdal KDC disables DES encryption types on the (valid) grounds that
they are too weak. An exception is made where the service principal is "afs"
since the work to upgrade AFS to support stronger crypto is still very much
in progress.
Unfortunately, Kerberized NFS has a similar problem. Support for stronger
enctypes didn't make it into the Linux kernel until 2.6.35 (post-squeeze).
Until all NFS servers and clients have been upgraded to support stronger
enctypes, a site will want to enable DES enctypes for "nfs" service
principals. Here is a patch that does just that; I've successfully tested
it. I think it would be highly desirable to have this in squeeze; more
so, in fact, than in later releases since the need for DES support with
NFS service principals ought to decrease with time.
Without this patch, the KDC rejects AS requests that specify DES enctypes
with "krb5_crypto_init failed: encryption type (1|2|3) not supported"
(illustrating another oddity, namely that krb5_crypto_init() uses the
same error message whether the enctype is unknown or known but disabled;
krb5_enctype_valid() has two distinct error messages) and TGS requests
result in "Server (nfs/f.q.d.n) has no support for etypes" (also in the
KDC's log). The client did have [libdefaults]allow_weak_crypto=true, as
shown by the fact that the AS and TGS requests asked for a DES enctype.
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -91,7 +91,8 @@
_kdc_is_weak_exception(krb5_principal principal, krb5_enctype etype)
{
if (principal->name.name_string.len > 0 &&
- strcmp(principal->name.name_string.val[0], "afs") == 0 &&
+ (strcmp(principal->name.name_string.val[0], "afs") == 0
+ || strcmp(principal->name.name_string.val[0], "nfs") == 0) &&
(etype == ETYPE_DES_CBC_CRC
|| etype == ETYPE_DES_CBC_MD4
|| etype == ETYPE_DES_CBC_MD5))
