On ma, 21 marras 2016, Florian Weimer wrote:
On 11/21/2016 04:03 PM, Alexander Bokovoy wrote:
Fedora infrastructure uses MS-KKDCP proxy with Fedora certificate to
tunnel Kerberos 5 traffic. If you have recent Fedora, you'll get it used
automatically with the help of DNS URI. For older clients which don't
support DNS-based discovery you can configure MS-KKDCP proxy access
manually by stating 'kdc=https://id.fedoraproject.org/KdcProxy' for
FEDORAPROJECT.ORG realm. For very old clients that don't support
MS-KKDCP (RHEL 6, for example), you are back to use naked Kerberos 5
traffic.
Shouldn't everyone configure things this way to prevent downgrade
attacks (which could happen even accidentally due to timeouts and
things)?
Done in rawhide already -- see fedora-packager package and the reference
Patrick provided in another response.
For Fedora versions before MIT Kerberos 1.13 we cannot do anything. 1.13
was part of Fedora 22, though, so for last two years we have a solution
to the problem.
--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
