[OpenAFS] ADS and MIT Kerberos transition auth continued
Russ Allbery
rra@stanford.edu
Thu, 09 Jul 2009 07:56:10 -0700
Eric Chris Garrison <ecgarris@iupui.edu> writes:
> Jeffrey Altman wrote:
>> The answer is right above. AES-256 is not DES-CBC-CRC
>
> I'm told by our ADS admin that DES3 isn't supported,
That wouldn't help; AFS doesn't support DES3 anyway.
> and DES-CBC-CRC is somewhat weak by modern standards. How concerned
> should I be?
About as concerned as everyone else running AFS. It's a known weakness,
and there are various efforts underway to address it over time, such as
the rxk5 work which is available on a branch for testing. There isn't
any solution ready yet for production use.
> Is there another option that's secure and supported in AD?
No.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>