On Sep 27, 2007, at 2:32 PM, John Hascall wrote:
The same is true of disabling DES
keys in
your Kerberos v5 realm (have you done that yet?).
Surely you jest, we're still struggling to get rid of K4.
Actually, our k4 to k5 conversion turned out to be a reasonable (if
exhausting) model of how to do it -
Start monitoring k4 use and twisting arms.
Escalated threats^H^H^H^H^H^H^H efforts accompanied by examples from
other universities getting hacked ("You don't want to wind up like
Ohio State" is a very potent phrase at Michigan).
Rolling cycles of:
1. Pick a subnet
2. Identify k4 users/hosts
3. Announce to them a date that k4 will stop working, repeatedly in
their face. "Yes, we mean you."
4. Filter out k4 traffic on date.
5. If no problems, done. Otherwise loosen up filter a bit and return
to step 3 for ever-smaller set of users.
You can do many subnets simultaneously.
I think it took us nearly a year, but my brain refuses to disgorge
the details. And we still have a few legacy administrative hosts
doing k4, but it's completely blocked for everything except those few
IP addresses. And those machines are in process of being de-commed.
Which reminds me, I need to go power down one of them.
The same process has to be applied with DES.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
