On 5/18/2015 3:51 PM, Stephen Roseman wrote: > It's not important, but I thought I'd run kadb_check on a current > kaserver.DB0 (yes, I'm planning to switch to K5 before I retire...) and > it complains about bad entries, and the -entries switch returns "funny > stuff". > > I've run it on various Centos 6 systems, with openafs 1.6.1 to 1.6.11, > pulling the file kaserver.DB0 from various places. I generally compile > my own openafs, but I extracted a kadb_check binary from the release > 1.6.11.1 rpm. Always the same. > > I copied kaserver.DB0 to an old AIX system, and its kadb_check works fine. > > https://lists.openafs.org/pipermail/openafs-info/2010-April/033520.html > mentions "/2/ fix kadb_check to produce correct output. Should match on > little and big-endian machines." > > Should I just forget about the whole thing and go home? > > Thanks, > Steve
To be clear, migrating away from kaserver is not just a nice thing to do. It is an absolute requirement if you care about preserving the privacy and integrity of the data maintained in your cell. Since the announcement of https://www.openafs.org/pages/security/#OPENAFS-SA-2013-003 which is not an AFS specific issue but impacts all network services that use Kerberos for authentication and have DES keys assigned to them. kaserver is the worst case of this because unlike up to date Kerberos v5 KDCs kaserver only supports DES. In brief, if the attacker can request a service ticket that includes a DES service key, the attacker can brute force the key and begin to force Kerberos tickets in less than a day and for the cost of a few beers in NYC. Since April 2010 there have been a large number of fixes to kaserver to correct issues that were identified by Coverity, clang, and other automated tools. As well as some changes that were instituted across the entire source tree. There is very limited if any testing of kaserver and related tools any longer. As such it would not surprise me for there to still be endian issues. If you care to fix them, patches can be submitted against the master branch via http://gerrit.openafs.org/ Please read the guidance at http://wiki.openafs.org/GitDevelopers/ before submitting any patches. It is unlikely that anyone that isn't actively using kaserver will volunteer to fix it. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
