On 11/21/2016 10:32 AM, Florian Weimer wrote: > On 11/21/2016 04:03 PM, Alexander Bokovoy wrote: > >> Fedora infrastructure uses MS-KKDCP proxy with Fedora certificate to >> tunnel Kerberos 5 traffic. If you have recent Fedora, you'll get it used >> automatically with the help of DNS URI. For older clients which don't >> support DNS-based discovery you can configure MS-KKDCP proxy access >> manually by stating 'kdc=https://id.fedoraproject.org/KdcProxy' for >> FEDORAPROJECT.ORG realm. For very old clients that don't support >> MS-KKDCP (RHEL 6, for example), you are back to use naked Kerberos 5 >> traffic. > > Shouldn't everyone configure things this way to prevent downgrade attacks (which > could happen even accidentally due to timeouts and things)? > Yes, as I mentioned elsewhere, we should probably have the fedora-packager RPM ship with a krb5.conf.d snippet that sets the appropriate values.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx