On Mon, 28 Nov 2016 11:51:36 -0500 Nathaniel McCallum <npmccallum@xxxxxxxxxx> wrote: > On Mon, Nov 28, 2016 at 3:10 AM, Alexander Bokovoy > <abokovoy@xxxxxxxxxx> wrote: > > On su, 27 marras 2016, Ken Dreyer wrote: > >> > >> On Wed, Nov 23, 2016 at 7:17 AM, Alexander Bokovoy > >> <abokovoy@xxxxxxxxxx> wrote: > >>> > >>> Heimdal does not support MS-KKDCP spec, so you are left with > >>> direct Kerberos communication over port 88/tcp or 88/udp, but > >>> these are enabled in Fedora infrastructure, yes. > >> > >> > >> I thought direct Kerberos service was going to be disabled, to > >> prevent attackers sniffing and brute-forcing the encrypted preauth > >> timestamp? > > > > This is really a question to Fedora Infra people but last time we > > discussed, RHEL 6-based clients and alike were not getting MS-KKDCP > > features backported to older MIT Kerberos versions so to support > > them, direct access is required. > > Correct. The Fedora Infrastructure team needs to balance the risk of > MitM offline dictionary attacks with the need for RHEL6 client access. > > IMHO, there should already be a plan to sunset RHEL6 instances. But I > can't judge this based upon Fedora's internal needs. Right, RHEL6 is still a supported client for us, so we are currently providing access so they can work. As soon as something happens to let us drop that direct access we likely will do so. ;) kevin
Attachment:
pgpPtiOFNi2_2.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
