[OpenAFS] AES Support ?
Tue, 2 Oct 2007 16:01:08 -0400
On Sep 27, 2007, at 2:32 PM, John Hascall wrote:
>> The same is true of disabling DES
>> keys in
>> your Kerberos v5 realm (have you done that yet?).
> Surely you jest, we're still struggling to get rid of K4.
Actually, our k4 to k5 conversion turned out to be a reasonable (if
exhausting) model of how to do it -
Start monitoring k4 use and twisting arms.
Escalated threats^H^H^H^H^H^H^H efforts accompanied by examples from
other universities getting hacked ("You don't want to wind up like
Ohio State" is a very potent phrase at Michigan).
Rolling cycles of:
1. Pick a subnet
2. Identify k4 users/hosts
3. Announce to them a date that k4 will stop working, repeatedly in
their face. "Yes, we mean you."
4. Filter out k4 traffic on date.
5. If no problems, done. Otherwise loosen up filter a bit and return
to step 3 for ever-smaller set of users.
You can do many subnets simultaneously.
I think it took us nearly a year, but my brain refuses to disgorge
the details. And we still have a few legacy administrative hosts
doing k4, but it's completely blocked for everything except those few
IP addresses. And those machines are in process of being de-commed.
Which reminds me, I need to go power down one of them.
The same process has to be applied with DES.