On Mon, Nov 28, 2016 at 3:10 AM, Alexander Bokovoy <abokovoy@xxxxxxxxxx> wrote: > On su, 27 marras 2016, Ken Dreyer wrote: >> >> On Wed, Nov 23, 2016 at 7:17 AM, Alexander Bokovoy <abokovoy@xxxxxxxxxx> >> wrote: >>> >>> Heimdal does not support MS-KKDCP spec, so you are left with direct >>> Kerberos communication over port 88/tcp or 88/udp, but these are enabled >>> in Fedora infrastructure, yes. >> >> >> I thought direct Kerberos service was going to be disabled, to prevent >> attackers sniffing and brute-forcing the encrypted preauth timestamp? > > This is really a question to Fedora Infra people but last time we > discussed, RHEL 6-based clients and alike were not getting MS-KKDCP > features backported to older MIT Kerberos versions so to support them, > direct access is required. Correct. The Fedora Infrastructure team needs to balance the risk of MitM offline dictionary attacks with the need for RHEL6 client access. IMHO, there should already be a plan to sunset RHEL6 instances. But I can't judge this based upon Fedora's internal needs. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx