Eric Chris Garrison wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeffrey Altman wrote:
Garrison, Eric C wrote:
07/08/09 14:53:56 07/09/09 00:53:44 afs/afstest.iu....@ads.iu.edu
renew until 07/09/09 14:53:40, Etype (skey, tkt): AES-256 CTS mode
with 96-bit
SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
So what else should I look for in the token being bad in another way?
The answer is right above. AES-256 is not DES-CBC-CRC
I'm told by our ADS admin that DES3 isn't supported, and DES-CBC-CRC is
somewhat weak by modern standards.
AFS currently only supports DES. So with AFS today you have no choice. What this
means is the with the AFS principal in AD you must specify with ktpass -DesOnly
Only the service ticket for AFS will use DES, so it does not effect the rest of
AD.
> How concerned should I be?
Depends on what data you put in AFS, and is the AFS network traffic sniffable
You would need to do a risk assessment of you situation.
Is there another option that's secure and supported in AD?
Not today, but there are AFS mods in development to fix this.
Thanks,
Chris
- --
Eric Chris Garrison | Principal Mass Storage Specialist
ecgar...@iupui.edu | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgar...@iupui.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKVfSLG2WsK8XoJWURAkgCAJ9DnJH4qORTrcxVOiAcsoRE6x3cfgCcCnCq
L8P+s07RQgt6qvU6+Bhes7o=
=/Cv/
-----END PGP SIGNATURE-----
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
