On 11/21/2016 04:03 PM, Alexander Bokovoy wrote:
Fedora infrastructure uses MS-KKDCP proxy with Fedora certificate to tunnel Kerberos 5 traffic. If you have recent Fedora, you'll get it used automatically with the help of DNS URI. For older clients which don't support DNS-based discovery you can configure MS-KKDCP proxy access manually by stating 'kdc=https://id.fedoraproject.org/KdcProxy' for FEDORAPROJECT.ORG realm. For very old clients that don't support MS-KKDCP (RHEL 6, for example), you are back to use naked Kerberos 5 traffic.
Shouldn't everyone configure things this way to prevent downgrade attacks (which could happen even accidentally due to timeouts and things)?
Thanks, Florian _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
