Re: upcoming build and release developer flag day December 12 2016

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Nov 28, 2016 at 3:10 AM, Alexander Bokovoy <abokovoy@xxxxxxxxxx> wrote:
> On su, 27 marras 2016, Ken Dreyer wrote:
>>
>> On Wed, Nov 23, 2016 at 7:17 AM, Alexander Bokovoy <abokovoy@xxxxxxxxxx>
>> wrote:
>>>
>>> Heimdal does not support MS-KKDCP spec, so you are left with direct
>>> Kerberos communication over port 88/tcp or 88/udp, but these are enabled
>>> in Fedora infrastructure, yes.
>>
>>
>> I thought direct Kerberos service was going to be disabled, to prevent
>> attackers sniffing and brute-forcing the encrypted preauth timestamp?
>
> This is really a question to Fedora Infra people but last time we
> discussed, RHEL 6-based clients and alike were not getting MS-KKDCP
> features backported to older MIT Kerberos versions so to support them,
> direct access is required.

Correct. The Fedora Infrastructure team needs to balance the risk of
MitM offline dictionary attacks with the need for RHEL6 client access.

IMHO, there should already be a plan to sunset RHEL6 instances. But I
can't judge this based upon Fedora's internal needs.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux