Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kerberos issues with 10.0_BETA post openssl update



>so in actual usage pretty well everything is going to use
>aes256-cts-hmac-sha1-96 (unless you have a really old client out there) 
>but the KDC is still going to create or update keys of all three types, 
>and that is whats failing here.

My apologies; going back I realize I conflated the client issues with
your kadmind segfault and I was thinking your CLIENTS were segfaulting.

I see later on you just transitioned to AES enctypes, which is probably
for the best anyway.  It sounds like someone could still explicitly
use kadmin to ask for arcfour and cause a denial-of-service attack
against kadmind though.

--Ken


Home | Main Index | Thread Index | Old Index