[OpenAFS] ADS and MIT Kerberos transition auth continued
Douglas E. Engert
deengert@anl.gov
Thu, 09 Jul 2009 10:50:55 -0500
Eric Chris Garrison wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jeffrey Altman wrote:
>> Garrison, Eric C wrote:
>>
>>> 07/08/09 14:53:56 07/09/09 00:53:44 afs/afstest.iu.edu@ADS.IU.EDU
>>> renew until 07/09/09 14:53:40, Etype (skey, tkt): AES-256 CTS mode
>>> with 96-bit
>>> SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
>>>
>>> So what else should I look for in the token being bad in another way?
>> The answer is right above. AES-256 is not DES-CBC-CRC
>
> I'm told by our ADS admin that DES3 isn't supported, and DES-CBC-CRC is
> somewhat weak by modern standards.
AFS currently only supports DES. So with AFS today you have no choice. What this
means is the with the AFS principal in AD you must specify with ktpass -DesOnly
Only the service ticket for AFS will use DES, so it does not effect the rest of AD.
> How concerned should I be?
Depends on what data you put in AFS, and is the AFS network traffic sniffable
You would need to do a risk assessment of you situation.
> Is there another option that's secure and supported in AD?
Not today, but there are AFS mods in development to fix this.
>
> Thanks,
>
> Chris
> - --
> Eric Chris Garrison | Principal Mass Storage Specialist
> ecgarris@iupui.edu | Indiana University - Research Storage
> W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFKVfSLG2WsK8XoJWURAkgCAJ9DnJH4qORTrcxVOiAcsoRE6x3cfgCcCnCq
> L8P+s07RQgt6qvU6+Bhes7o=
> =/Cv/
> -----END PGP SIGNATURE-----
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444