[OpenAFS] OpenAFS Keberos Security Issues
Loren M. Lang
lorenl@north-winds.org
Sun, 20 Jul 2008 16:00:43 -0700
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig11509C86ADE662534E3E0DFB
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
I am experimenting with OpenAFS 1.4 to evaluate using for my company.
We have a testing Kerberos 5 domain using AES256 encryption for all
existing users and services. I setup an OpenAFS file and database
server with kaserver disabled and asetkey to add a des-cbc-crc service
key to KeyFile. The server is now successfully running in our test domai=
n.
A couple observations from what I've read about OpenAFS 1.4:
1. Currently, there is no support for anything besides DES encryption
between the Kerberos 5 servers and OpenAFS with make that that will be
weakest link in our network.
2. All OpenAFS file and/or database servers all use the same KeyFile
which means a root compromise on any single OpenAFS server equal to
compromising the entire cell.
I am not trying to bash OpenAFS, just understand the current state of
security in the production branch.
--------------enig11509C86ADE662534E3E0DFB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIg8Om3O67OXZU3lsRAm8HAJ9hbOTHgMfEFl1YmIBlMwcoHnfBwgCfX5ZM
EQzLfDMN/BF6KGBtoXxW+BU=
=cC7D
-----END PGP SIGNATURE-----
--------------enig11509C86ADE662534E3E0DFB--