Home
release-team@conference.openafs.org
Saturday, November 29, 2014< ^ >
Room Configuration
Room Occupants

GMT+0
[20:41:34] kaduk joins the room
[23:06:00] <kaduk> I was having a conversation with some folks a while back, and the topic of deprecating weak crypto came up, in particular eventually disabling it by default.
[23:07:47] <kaduk> I wonder if we should require the use of some new cmd switch to start server processes when only KeyFile keys are present, for 1.8.
[23:10:28] <Jeffrey Altman> I know one organization that would be very unhappy with such a change but I have no objection.
[23:11:58] <kaduk> I don't think we're yet at a point where we should break clients by default, though.
[23:13:16] <Jeffrey Altman> what would you do to break clients?
[23:14:04] <Jeffrey Altman> requiring non-DES session keys does nothing to improve security
[23:14:43] <kaduk> I don't know exactly.  Make aklog look at the ticket-encrypting enctype, maybe.
It's probably best to leave the client-side checks in the krb5 library.
[23:15:19] <Jeffrey Altman> kerberos clients should never look at the ticket encrypting enctype
[23:16:19] <Jeffrey Altman> nor would it be appropriate for aklog to look at the enctype of the TGT
[23:17:51] <kaduk> Yeah, there's not really anything for aklog to do.
[23:18:42] <Jeffrey Altman> changing the default crypt mode for clients would be something to do
[23:18:55] <kaduk> Perhaps.
[23:19:03] <kaduk> "But would it just give them a false sense of security?"
[23:19:26] <kaduk> I believe that the debian and rpm init scripts run fs setcrypt on by default
[23:19:37] <kaduk> FreeBSD, too, not that that's particularly relevant.
[23:20:04] <Jeffrey Altman> and windows but not OSX, not Linux in general, not Solaris, nor AIX, etc.
[23:20:30] <Jeffrey Altman> there has been strong objections in the past.  I changed it for Windows because there was no working client on Windows at the time.
[23:21:44] <Jeffrey Altman> change the unix cm to use authenticated connections to the VL server.  
[23:25:11] <kaduk> I put it on the wiki; maybe we will talk about it on wednesday
[23:44:14] <kaduk> I'm going to mark the rw-replication series as "not for 1.8"
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!