[OpenAFS] OpenAFS Keberos Security Issues
Loren M. Lang
Sun, 20 Jul 2008 16:00:43 -0700
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8; format=flowed
I am experimenting with OpenAFS 1.4 to evaluate using for my company.
We have a testing Kerberos 5 domain using AES256 encryption for all
existing users and services. I setup an OpenAFS file and database
server with kaserver disabled and asetkey to add a des-cbc-crc service
key to KeyFile. The server is now successfully running in our test domai=
A couple observations from what I've read about OpenAFS 1.4:
1. Currently, there is no support for anything besides DES encryption
between the Kerberos 5 servers and OpenAFS with make that that will be
weakest link in our network.
2. All OpenAFS file and/or database servers all use the same KeyFile
which means a root compromise on any single OpenAFS server equal to
compromising the entire cell.
I am not trying to bash OpenAFS, just understand the current state of
security in the production branch.
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----