[OpenAFS] OpenAFS Keberos Security Issues
Brandon S. Allbery KF8NH
Sun, 20 Jul 2008 19:24:09 -0400
On 2008 Jul 20, at 19:00, Loren M. Lang wrote:
> 1. Currently, there is no support for anything besides DES encryption
> between the Kerberos 5 servers and OpenAFS with make that that will be
> weakest link in our network.
> 2. All OpenAFS file and/or database servers all use the same KeyFile
> which means a root compromise on any single OpenAFS server equal to
> compromising the entire cell.
Correct. Both are known issues; there is active work on rxk5 which
will address the former, and the latter is on the roadmap.
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] firstname.lastname@example.org
system administrator [openafs,heimdal,too many hats] email@example.com
electrical and computer engineering, carnegie mellon university KF8NH