Loren M. Lang wrote:
I am experimenting with OpenAFS 1.4 to evaluate using for my company. We have a testing Kerberos 5 domain using AES256 encryption for all existing users and services. I setup an OpenAFS file and database server with kaserver disabled and asetkey to add a des-cbc-crc service key to KeyFile. The server is now successfully running in our test domain.A couple observations from what I've read about OpenAFS 1.4: 1. Currently, there is no support for anything besides DES encryption between the Kerberos 5 servers and OpenAFS with make that that will be weakest link in our network.
correct
2. All OpenAFS file and/or database servers all use the same KeyFile which means a root compromise on any single OpenAFS server equal to compromising the entire cell.
correct
I am not trying to bash OpenAFS, just understand the current state of security in the production branch.
smime.p7s
Description: S/MIME Cryptographic Signature
