-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Chris Hecker wrote: > > To be extra clear, this doesn't affect normal KDC client access with LDAP > backends, only kadmin access? In other words, if I don't expose kadmin I > don't have to freak out? What about password changing through a web > interface (meaning only takes princ and password from the wild)?
That's correct, normal KDC client access is unaffected. If you do not expose kadmin there is no vulnerability. Password changes through a web interface should also be fine; the vulnerability requires the use of the -keepold argument to kadmin's cpw command. Since the web interface is (presumably) not using that flag, you are safe. - -Ben -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGgBAEBCAAGBQJT5AI4AAoJECjZpvNk63USPDYMGgMM4aQb8r36DHLmreIuL0jM 2aOsbRzvhME3VHrkqHbOZjUSzCz14oQE/9oTzi7Dtf9XAaPbUMnx6l2byK4ECkm7 TthvTwVLDnmntci+NQBpbun4KatnMi2wUpaNBQOJJ1EPuA6FsZy/Tu1gvZISQa0f R0vbspgUBCFTZ+W1X4MwVuxI9Q74o2Fp0kIMtF7OT2GjBuBYXTpVONLOCAt4i/OI 3DsE1JiUDEnlsVao1KbnnQrkmf6qlt7F82dPHQPO8x0HKAeLtvEq7jZETLiLWQL6 s7nVH4fJ429/G0MdGZ8rey4glegp7Sy+CM9g0iexZ/gJaMMi4e/AqWfo4iCkHiH1 Q7Lpc2cP19p3KoJTAkE9z821UiM6QJblZkeCc/wADioeEPwZeBxUHPVrZt8hVrSj Amuwpoi1AShosceqjL/o6g19bO5bRwTOqrffixwtMr41F+oktavqYNu+Yxpz/ssA izXLFknVxqdzQHgJS1ahB5GLRCh4sKH19lOglBNhDGU+kN0= =bsqM -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
