[OpenAFS] OpenAFS Keberos Security Issues

Brandon S. Allbery KF8NH allbery@ece.cmu.edu
Sun, 20 Jul 2008 19:24:09 -0400

On 2008 Jul 20, at 19:00, Loren M. Lang wrote:

> 1. Currently, there is no support for anything besides DES encryption
> between the Kerberos 5 servers and OpenAFS with make that that will be
> weakest link in our network.
> 2. All OpenAFS file and/or database servers all use the same KeyFile
> which means a root compromise on any single OpenAFS server equal to
> compromising the entire cell.

Correct.  Both are known issues; there is active work on rxk5 which  
will address the former, and the latter is on the roadmap.

brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university    KF8NH