Modern Kerberos disallows DES crypto methods, but openafs for protocol
reasons is stuck using des for the time being. Rather than force all
afs realms to enable weak crypto, MIT added an undocumented API call
to allow openafs to skirt around the weak crypto restrictions. Since
we're implementing aklog for Apache, we have to be evil and use it too
in order to acquire tokens on a system where weak crypto is not
permitted.
log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "mod_waklog: retrieved data from ccache for %s", k5user);
increds.times.endtime = 0;
-
+
+ /* Since we're fetching a key for AFS, we have to use single DES
+ and explicitely enable weak crypto using the secret API
+ call */
increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
+ krb5_allow_weak_crypto (child.kcontext, 1);
if ( ( kerror = krb5_get_credentials (child.kcontext, 0, clientccache, &increds, &v5credsp ) ) ) {
/* only complain once we've tried both afs@REALM and afs/cell@REALM */