Re: upcoming build and release developer flag day December 12 2016

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/21/2016 10:32 AM, Florian Weimer wrote:
> On 11/21/2016 04:03 PM, Alexander Bokovoy wrote:
> 
>> Fedora infrastructure uses MS-KKDCP proxy with Fedora certificate to
>> tunnel Kerberos 5 traffic. If you have recent Fedora, you'll get it used
>> automatically with the help of DNS URI. For older clients which don't
>> support DNS-based discovery you can configure MS-KKDCP proxy access
>> manually by stating 'kdc=https://id.fedoraproject.org/KdcProxy' for
>> FEDORAPROJECT.ORG realm. For very old clients that don't support
>> MS-KKDCP (RHEL 6, for example), you are back to use naked Kerberos 5
>> traffic.
> 
> Shouldn't everyone configure things this way to prevent downgrade attacks (which
> could happen even accidentally due to timeouts and things)?
> 

Yes, as I mentioned elsewhere, we should probably have the fedora-packager RPM
ship with a krb5.conf.d snippet that sets the appropriate values.


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux