- Thursday, May 21, 2015

openafs@conference.openafs.org

Thursday, May 21, 2015< ^ >

Room Configuration

Room Occupants

GMT+0
[00:50:35] mvita joins the room
[01:19:29] mvita leaves the room
[01:50:00] mvita joins the room
[02:42:10] nwf joins the room
[04:29:20] mvita leaves the room
[09:00:16] Jeffrey Altman leaves the room
[09:01:09] Jeffrey Altman joins the room
[11:42:03] shadow@gmail.com/barnowlC91EEAD3 leaves the room
[13:29:14] Simon Wilkinson joins the room
[13:44:52] Simon Wilkinson leaves the room
[14:01:26] mvita joins the room
[14:22:34] meffie joins the room
[14:31:58] Simon Wilkinson joins the room
[15:04:41] kaduk joins the room
[15:10:48] Simon Wilkinson leaves the room
[15:14:50] Simon Wilkinson joins the room
[15:31:35] Simon Wilkinson leaves the room
[17:00:12] meffie leaves the room
[18:07:23] shadow@gmail.com/barnowl8C53356F joins the room
[18:57:25] <kaduk> Daria, any thoughts about my darwin issue?
[19:06:56] <shadow@gmail.com/barnowl8C53356F> the SC_ mumble crap?
[19:09:13] <kaduk> yeah
[19:09:38] <shadow@gmail.com/barnowl8C53356F> --- a/src/afs/sysctl.h
+++ b/src/afs/sysctl.h
@@ -23,6 +23,10 @@
#define AFS_SC_DARWIN_80                        6
#define AFS_SC_DARWIN_90                        7
#define AFS_SC_DARWIN_100                       8
+#define AFS_SC_DARWIN_110                       9
+#define AFS_SC_DARWIN_120                       10
+#define AFS_SC_DARWIN_130                       11
+#define AFS_SC_DARWIN_140                       12

/* AFS_SC_DARWIN_ALL sysctls */
#define AFS_SC_DARWIN_ALL_REALMODES             1
[19:09:55] <kaduk> Easy enough :)
[19:15:11] <shadow@gmail.com/barnowl8C53356F> it was missed from ab9bb6363ca95f658764fbb9fb68ec88f89a5b3f
[19:15:29] <kaduk> *nods*
[19:15:50] <kaduk> I will push it to gerrit after I upload a new rxgk-afs draft, if you don't beat me to it.
[19:16:36] <shadow@gmail.com/barnowl8C53356F> odds i will beat you are low as i have a dirty sandbox and a full disk
[19:16:56] <kaduk> full disks are no fun
[19:17:22] <shadow@gmail.com/barnowl8C53356F> this laptop will be replaced basicallyas soon as i see the friend who
is getting me a discount on a new one
[20:31:15] gendalia joins the room
[20:31:32] gendalia leaves the room
[21:17:34] Simon Wilkinson joins the room
[21:19:01] <kaduk> Hi, Simon.
[21:19:37] <Simon Wilkinson> Hi Ben. Not really here - have a flight in 4hrs, so need to get some sleep.
[21:19:45] <kaduk> Sleep is important :)
[21:20:08] <kaduk> It would be good to get more eyes on the -08 of the rxgk-afs document that I just submitted
[21:20:13] <kaduk> (after you sleep)
[21:20:33] <Simon Wilkinson> Not sure about your analysis on afs3-stds - a non-departmental fileserver already has the ability to impersonate any user, so I don't think the attack you describe is one that we need worry about.
[21:21:22] <kaduk> It's only a concern if departmental fileservers are in play, probably.
[21:24:10] <Simon Wilkinson> But a departmental fileserver has a different key from the cell wide key, so can't see tickets that aren't their own.
[21:24:24] <kaduk> It can't peek inside them, yes.
[21:24:53] <kaduk> But if it already knows the master key inside a token for a different fileserver, and can sniff a copy of that token, then it can use that token to impersonate the user to that other fileserver.
[21:24:56] <Simon Wilkinson> And it needs to peek inside the ticket to get the key whose derivation concerns you, right?
[21:25:42] <Simon Wilkinson> By master key, do you mean K0?
[21:25:51] <kaduk> Yes, K0.
[21:26:01] <Simon Wilkinson> So how would it know K0?
[21:26:14] <kaduk> The case I'm concerned about is if K0 is the same for two different tokens, for two different (departmental) fileservers.
[21:26:28] <kaduk> Well, two different servers in general, one of which is a departmental fileserver.
[21:26:41] <Simon Wilkinson> Yeah, that shouldn't happen.
[21:27:04] <Simon Wilkinson> K0 being the same for tokens to non-departmental fileservers is fine - they're all in the same security domain.
[21:27:22] <Simon Wilkinson> But you don't want the same K0 being used for connections to two different security domains.
[21:27:38] <kaduk> It's probably fine, yes.  Maybe there is some issue about duplicated ciphertexts, but I think we have enough state from rx in the header that it's fine.
[21:28:02] <kaduk> ("duplicated ciphertexts" is a meaningless phrase, sorry)
[21:28:13] <Simon Wilkinson> The confounder should deal with that, regardless of our key choice.
[21:29:30] <kaduk> *nods*
I don't have anything concrete to point to, I just haven't analyzed the full system enough to be 100% confident.
[21:31:36] <kaduk> It's easier to reason about things when keys are reused as few times as possible
[21:31:52] <Simon Wilkinson> But yeah, CombineTokens does need addressed for the departmental case. I'm not sure we need to change it for the non-departmental case.
[21:32:34] <kaduk> It seems simpler to just incorporate the UUID always instead of having to do a lookup.
[21:33:00] <Simon Wilkinson> Perhaps. I need to think on it more.
[21:33:07] <kaduk> Sure.
[23:25:29] kaduk leaves the room