Re: kerberos issues with 10.0_BETA post openssl update

To: Mark Davies <mark%ecs.vuw.ac.nz@localhost>
Subject: Re: kerberos issues with 10.0_BETA post openssl update
From: Ken Hornstein <kenh%pobox.com@localhost>
Date: Sat, 09 Sep 2023 18:51:29 -0400

>so in actual usage pretty well everything is going to use
>aes256-cts-hmac-sha1-96 (unless you have a really old client out there) 
>but the KDC is still going to create or update keys of all three types, 
>and that is whats failing here.

My apologies; going back I realize I conflated the client issues with
your kadmind segfault and I was thinking your CLIENTS were segfaulting.

I see later on you just transitioned to AES enctypes, which is probably
for the best anyway.  It sounds like someone could still explicitly
use kadmin to ask for arcfour and cause a denial-of-service attack
against kadmind though.

--Ken

References:
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Taylor R Campbell
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Mark Davies
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Ken Hornstein
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Mark Davies

Prev by Date: Re: Growth in pool usage between netbsd-9 and -10?
Next by Date: daily CVS update output
Previous by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Next by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Indexes:

Home | Main Index | Thread Index | Old Index