Hi!
Maybe I am not the best reader, but if I do use a win AD as a krb5 auth
service and I did not change anything with my keyfiles and everything,
should OpenAFS 1.7.26 on Windows work as usual?
As I tried on my system it did not work fine.
It did show a ticket/token, but it shows
Hi,
Similar issue with the src.rpm of the new version 1.6.5 like 1.6.2
Is it possible to fix this by providing a compatible src.rpm 1.6.5 for RHEL5?
- Ralf
You can grab a signed SRPM for RHEL5 from the /afs/
inf.ed.ac.uk/group/afsbuild/1.6.5/rhel5 directory. That's the source which
was used to build the publically available RHEL5 RPMs.
Stephen Quinney
On 25 July 2013 12:47, Brunckhorst, Ralf ralf.brunckho...@hp.com wrote:
Hi,
** **
Hi,
In the cell rekeying instructions found at
http://openafs.org/pages/security/how-to-rekey.txt, there is a note for
sites using Heimdal KDCs. It mentions a bug present in certain versions
of the Heimdal KDC software which completely disables DES on the AFS
service principal when following
Ok,
I will grab it from there.
Thanks,
Ralf
Am 25.07.2013 um 14:03 schrieb Stephen Quinney
step...@jadevine.org.ukmailto:step...@jadevine.org.uk:
You can grab a signed SRPM for RHEL5 from the
/afs/inf.ed.ac.uk/group/afsbuild/1.6.5/rhel5http://inf.ed.ac.uk/group/afsbuild/1.6.5/rhel5
On Thu, 25 Jul 2013 09:11:38 -0400 (EDT)
step...@physics.unc.edu wrote:
In the cell rekeying instructions found at
http://openafs.org/pages/security/how-to-rekey.txt, there is a note
for sites using Heimdal KDCs. It mentions a bug present in certain
versions of the Heimdal KDC software which
On Thu, 25 Jul 2013 10:57:33 +0200
Lars Schimmer l.schim...@cgv.tugraz.at wrote:
Maybe I am not the best reader, but if I do use a win AD as a krb5
auth service and I did not change anything with my keyfiles and
everything, should OpenAFS 1.7.26 on Windows work as usual?
I didn't have
On Thu, 25 Jul 2013, Andrew Deason wrote:
On Thu, 25 Jul 2013 10:57:33 +0200
Lars Schimmer l.schim...@cgv.tugraz.at wrote:
Maybe I am not the best reader, but if I do use a win AD as a krb5
auth service and I did not change anything with my keyfiles and
everything, should OpenAFS 1.7.26 on
On Thu, 25 Jul 2013 11:36:52 -0400 (EDT)
Benjamin Kaduk ka...@mit.edu wrote:
The short version is: a misconfigured KDC can cause problems for new
clients against old servers.
If that's true, we need to say specifically what that misconfiguration
is, so people can check for them and avoid it.
On Thu, 25 Jul 2013, Andrew Deason wrote:
On Thu, 25 Jul 2013 11:36:52 -0400 (EDT)
Benjamin Kaduk ka...@mit.edu wrote:
The short version is: a misconfigured KDC can cause problems for new
clients against old servers.
If that's true, we need to say specifically what that misconfiguration
is,
On 7/25/2013 4:57 AM, Lars Schimmer wrote:
Hi!
Maybe I am not the best reader, but if I do use a win AD as a krb5 auth
service and I did not change anything with my keyfiles and everything,
should OpenAFS 1.7.26 on Windows work as usual?
As I tried on my system it did not work fine.
It
On Thu, 25 Jul 2013 11:36:52 -0400 (EDT)
Benjamin Kaduk ka...@mit.edu wrote:
and in the absence of other information, the KDC should not assume
that a service supports an enctype for which it has no long-term key.
After thinking about this, it seems like we could make this more robust,
if the
On Thu, 2013-07-25 at 09:11 -0400, step...@physics.unc.edu wrote:
Hi,
In the cell rekeying instructions found at
http://openafs.org/pages/security/how-to-rekey.txt, there is a note for
sites using Heimdal KDCs. It mentions a bug present in certain versions
of the Heimdal KDC software
* Andrew Deason [2013-07-25 10:03:18 -0500]:
On Thu, 25 Jul 2013 09:11:38 -0400 (EDT)
step...@physics.unc.edu wrote:
In the cell rekeying instructions found at
http://openafs.org/pages/security/how-to-rekey.txt, there is a note
for sites using Heimdal KDCs. It mentions a bug present in
On Thu, 2013-07-25 at 11:38 -0500, Andrew Deason wrote:
On Thu, 25 Jul 2013 11:36:52 -0400 (EDT)
Benjamin Kaduk ka...@mit.edu wrote:
and in the absence of other information, the KDC should not assume
that a service supports an enctype for which it has no long-term key.
After thinking
Sergio Gelato sergio.gel...@astro.su.se writes:
I've been poking a bit into this. First of all, let's make sure I don't
misunderstand your expectation here: do you want the KDC to be willing to
issue a ticket with a des-cbc-crc session key (as requested by old aklog)
even though the afs
On Thu, 25 Jul 2013 13:23:54 -0400
Jeffrey Hutzelman jh...@cmu.edu wrote:
After thinking about this, it seems like we could make this more
robust, if the KDC doesn't do this. The behavior we're desiring is
that a KDC just _prefers_ using session key enctypes where it has an
associated
I think jhutz has covered most of the points already, but:
On Thu, 25 Jul 2013, Andrew Deason wrote:
On Thu, 25 Jul 2013 11:36:52 -0400 (EDT)
Benjamin Kaduk ka...@mit.edu wrote:
and in the absence of other information, the KDC should not assume
that a service supports an enctype for which it
On Thu, 25 Jul 2013, Sergio Gelato wrote:
I've been poking a bit into this. First of all, let's make sure I don't
misunderstand your expectation here: do you want the KDC to be willing to
issue a ticket with a des-cbc-crc session key (as requested by old aklog)
even though the afs service
On 7/25/2013 2:16 PM, Benjamin Kaduk wrote:
I think jhutz has covered most of the points already, but:
On Thu, 25 Jul 2013, Andrew Deason wrote:
On Thu, 25 Jul 2013 11:36:52 -0400 (EDT)
Benjamin Kaduk ka...@mit.edu wrote:
and in the absence of other information, the KDC should not assume
On Thu, 25 Jul 2013 15:22:50 -0400 (EDT)
Benjamin Kaduk ka...@mit.edu wrote:
On Thu, 25 Jul 2013, Sergio Gelato wrote:
I've been poking a bit into this. First of all, let's make sure I
don't misunderstand your expectation here: do you want the KDC to be
willing to issue a ticket with a
On Thu, 25 Jul 2013 15:16:37 -0400 (EDT)
Benjamin Kaduk ka...@mit.edu wrote:
I know in draft-kaduk-afs3-rxkad-kdf-03 you/we explicitly say that
KDCs need to not issue non-DES session keys when we only have a DES
long-term key, but do they all actually do that? Is the reasoning
there that
On Thu, 25 Jul 2013 19:12:11 +0200
Sergio Gelato sergio.gel...@astro.su.se wrote:
I've been poking a bit into this. First of all, let's make sure I
don't misunderstand your expectation here: do you want the KDC to be
willing to issue a ticket with a des-cbc-crc session key (as requested
by
First, I don't think I said this before, but to whomever wrote the rekeying
document and the instructions for 1.4 and 1.6, thanks! It's great that
these were available immediately, at the same time as the security
vulnerability.
I also think that eliminating DES is worth the pain of re-keying
On Thu, 25 Jul 2013, step...@physics.unc.edu wrote:
In going over the re-keying document, a few more questions popped into my
mind that weren't clear from my reading of the document.
In the Basic procedure for MIT, it mentions ensuring that DES should not be
one of the encryption types in
On Thu, 25 Jul 2013, Benjamin Kaduk wrote:
There's another MIT-specific reason to not include a DES key in the
rxkad.keytab, namely that the MIT KDC does not set requires_preauth on new
principals by default. This means that if there's a DES key in the KDB, an
unauthenticated attacker can
On 07/25/2013 07:47 AM, Brunckhorst, Ralf wrote:
Hi,
Similar issue with the src.rpm of the new version 1.6.5 like 1.6.2
Is it possible to fix this by providing a compatible src.rpm 1.6.5 for RHEL5?
- Ralf
Run rpm -i --nomd5 openafs-1.6.5.src.rpm to install it. RHEL5 doesn't
27 matches
Mail list logo
