[OpenAFS] OpenAFS 1.6.9 and AES tickets

Martin Richter martin.richter@nmgr.net
Thu, 31 Jul 2014 16:12:18 +0200


--_===594325====mx42.bofh.mx===_
Content-Type: text/plain;charset="utf-8";
 format="flowed"
Content-Transfer-Encoding: quoted-printable

So this means that client caching can't be used anymore after DES has bee=
n=20
removed from the KDC?

Regs

Martin
=E2=80=8B
On Thu, 31 Jul 2014 13:48:36 +0000
  Brandon Allbery <ballbery@sinenomine.net> wrote:
> On Thu, 2014-07-31 at 15:32 +0200, Martin Richter wrote:
>> for any reason I just missed the three documents.... Thanks a lot!=20
>> On Thu, 31 Jul 2014 09:09:11 -0400 (EDT)
>>=E2=80=8B
>> Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>>=E2=80=8B
>>         On Thu, 31 Jul 2014, Martin Richter wrote:
>>=E2=80=8B
>>                 since I wasn't able to find out now is there any
>>                 official stantement whether or when more secure
>>                 kerberos tickets (like AES) will be supported?
>>=E2=80=8B
>>                 DES isn't the best choice and anything I've found was
>>                 dated back years ago.
>>=E2=80=8B
>>=E2=80=8B
>>=E2=80=8B
>>         Are you familiar with the content of
>>=E2=80=8B
>>         http://openafs.org/pages/security/OPENAFS-SA-2013-003.txt
>>         http://openafs.org/pages/security/install-rxkad-k5-1.6.txt
>>         http://openafs.org/pages/security/how-to-rekey.txt
>=E2=80=8B
> It should be noted that cache managers still use a DES variant even wit=
h
> these; the work to fix that is ongoing, as it requires an entire new
> protocol above the rx level.
>=E2=80=8B
> --=20
> brandon s allbery kf8nh                           sine nomine associate=
s
> allbery.b@gmail.com=20
>                             ballbery@sinenomine.net
> unix openafs kerberos infrastructure xmonad=20
>       http://sinenomine.net
> :???T???&j)b?    b?=D3=A9zp?J)=DF=A2?^??=EC=A2=B8!??l??b??(???~?+????Y?=
??b?=D8=A7~?????~=C8=A7~
=E2=80=8B

--_===594325====mx42.bofh.mx===_
Content-Type: text/html;charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<meta http-equiv=3D"content-type" content=3D"text/html; charset=3Dutf-8">
</head>
<body><div dir=3D"ltr"><p>So this means that client caching can't be used=
 anymore after DES has been removed from the KDC? </p><p><br>Regs </p><p>=
<br>Martin</p><p>=E2=80=8B</p><p>On Thu, 31 Jul 2014 13:48:36 +0000</p><p=
> Brandon Allbery &lt;ballbery@sinenomine.net&gt; wrote:</p><blockquote s=
tyle=3D"font-style: italic; color: #333333">
<p> On Thu, 2014-07-31 at 15:32 +0200, Martin Richter wrote:</p></blockqu=
ote><blockquote style=3D"font-style: normal; color: #666666">
<blockquote>
<p> for any reason I just missed the three documents.... Thanks a lot! </=
p></blockquote></blockquote><blockquote style=3D"font-style: normal; colo=
r: #666666">
<blockquote>
<p> On Thu, 31 Jul 2014 09:09:11 -0400 (EDT)</p><p>=E2=80=8B</p><p> Benja=
min Kaduk &lt;kaduk@MIT.EDU&gt; wrote:</p><p>=E2=80=8B</p><p>         On =
Thu, 31 Jul 2014, Martin Richter wrote:</p><p>=E2=80=8B</p><p>           =
      since I wasn't able to find out now is there any</p><p>            =
     official stantement whether or when more secure</p><p>              =
   kerberos tickets (like AES) will be supported?</p><p>=E2=80=8B</p><p> =
                DES isn't the best choice and anything I've found was</p>=
<p>                 dated back years ago.</p><p>=E2=80=8B</p><p>=E2=80=8B=
</p><p>=E2=80=8B</p><p>         Are you familiar with the content of</p><=
p>=E2=80=8B</p><p>         <a href=3D"http://openafs.org/pages/security/O=
PENAFS-SA-2013-003.txt">http://openafs.org/pages/security/OPENAFS-SA-2013=
-003.txt</a></p><p>         <a href=3D"http://openafs.org/pages/security/=
install-rxkad-k5-1.6.txt">http://openafs.org/pages/security/install-rxkad=
-k5-1.6.txt</a></p><p>         <a href=3D"http://openafs.org/pages/securi=
ty/how-to-rekey.txt">http://openafs.org/pages/security/how-to-rekey.txt</=
a></p></blockquote></blockquote><blockquote style=3D"font-style: italic; =
color: #333333">
<p>=E2=80=8B</p><p> It should be noted that cache managers still use a DE=
S variant even with</p><p> these; the work to fix that is ongoing, as it =
requires an entire new</p><p> protocol above the rx level.</p><p>=E2=80=8B=
</p><p> -- </p><p> brandon s allbery kf8nh                           sine=
 nomine associates</p><p> allbery.b@gmail.com </p><p>                    =
         ballbery@sinenomine.net</p><p> unix openafs kerberos infrastruct=
ure xmonad </p><p>       <a href=3D"http://sinenomine.net">http://sinenom=
ine.net</a></p><p> :???T???&amp;j)b?    b?=D3=A9zp?J)=DF=A2?^??=EC=A2=B8!=
??l??b??(???~?+????Y???b?=D8=A7~?????~=C8=A7~</p></blockquote><p>=E2=80=8B=
</p></div>
</body></html>

--_===594325====mx42.bofh.mx===_--