Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
Hi Sam, On Monday 11 January 2010, Sam Hartman wrote: Can I get you to try adding allow_weak_crypto = true to the libdefaults sections of /etc/krb5.conf? If that fixes your problem, then this is not a bug. that was the problem. actual bug was in my local apt-listchanges configuration -- in NEWS all necessary information was available. Sorry for the noise and thank you for the quick reply. Cheers Jan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
(CC'ing the OpenAFS maintainer too.) Thanks very much for the information in this bug report and the NEWS.Debian file; I had encountered this problem too and have now fixed it by adding the setting mentioned. However, IMHO this is an unsatisfactory solution. Packages should ideally work correctly with their default settings, and therefore having each person that needs openafs-krb5 edit krb5.conf is not ideal. So I was wondering if the maintainers involved have a way in mind to avoid this? A conf.d style solution perhaps? Patching openafs-krb5 so that it specifies the setting programmatically in its code? Something else? Thanks, Vasilis -- Vasilis Vasaitis A man is well or woe as he thinks himself so. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
Vasilis Vasaitis v.vasai...@sms.ed.ac.uk writes: However, IMHO this is an unsatisfactory solution. Packages should ideally work correctly with their default settings, and therefore having each person that needs openafs-krb5 edit krb5.conf is not ideal. So I was wondering if the maintainers involved have a way in mind to avoid this? A conf.d style solution perhaps? Patching openafs-krb5 so that it specifies the setting programmatically in its code? Something else? Unfortunately, MIT Kerberos doesn't support conf.d-style krb5.conf files, and I don't believe there's any way to set this parameter programmatically rather than in the krb5.conf file. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
Russ == Russ Allbery r...@debian.org writes: Russ Vasilis Vasaitis v.vasai...@sms.ed.ac.uk writes: However, IMHO this is an unsatisfactory solution. Packages should ideally work correctly with their default settings, and therefore having each person that needs openafs-krb5 edit krb5.conf is not ideal. So I was wondering if the maintainers involved have a way in mind to avoid this? A conf.d style solution perhaps? Patching openafs-krb5 so that it specifies the setting programmatically in its code? Something else? Russ Unfortunately, MIT Kerberos doesn't support conf.d-style Russ krb5.conf files, and I don't believe there's any way to set Russ this parameter programmatically rather than in the krb5.conf Russ file. There's also the issue that it is a fairly security sensitive setting. I think that weakening the security defaults like this is something the user should at least know about. However it's possible we could do something in krb5-config. For example, ask about allow_weak_crypto at priority low normally, but if we find /usr/bin/aklog ask at priority high. Would that make things better? --sam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
Sam Hartman hartm...@debian.org writes: There's also the issue that it is a fairly security sensitive setting. I think that weakening the security defaults like this is something the user should at least know about. However it's possible we could do something in krb5-config. For example, ask about allow_weak_crypto at priority low normally, but if we find /usr/bin/aklog ask at priority high. Would that make things better? The way Heimdal implemented the same restriction was to add an API that allowed the application to explicitly re-enable the DES enctype even if it was disabled, which their version of aklog uses. Note that the KDC administrator still has final control, so it's not obvious to me that this is a security concern. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
For AS requests it definitely is a security issue. For TGS it is less of an issue and may not be an issue at all. The case I'm still pondering is the cross-realm case. Perhaps we should backport the API from Heimdal. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
Sam Hartman hartm...@debian.org writes: For AS requests it definitely is a security issue. For TGS it is less of an issue and may not be an issue at all. The case I'm still pondering is the cross-realm case. Perhaps we should backport the API from Heimdal. The API here is: krb5_enctype_enable(krb5_context context, krb5_enctype enctype); There's also a _disable() method. Basically, krb5_init_context gives you the default set of enabled enctypes, and then you can use those calls to selectively enable and disable enctypes in the application. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
Sadly, given the MIT implementation porting that API for 1.8 would be kind of tricky. The bit about whether something is weak is not stored per-context. I guess we should discuss on krbdev. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
Package: libkrb5-3 Version: 1.7+dfsg-4 Severity: important Dear krb5 developers, the update from 1.7+dfsg-4 to 1.8+dfsg~alpha1-1 breaks aklog in openafs-krb5 1.4.11+dfsg-6. The latter complains about an unknown RPC failure. Installed version from system information below is the reinstalled older version in order to type this report ($HOME is on AFS.) Please excuse if this should have been reported against openafs-krb5 instead. Cheers Jan -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.32-trunk-686-bigmem (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libkrb5-3 depends on: ii libc6 2.10.2-5 Embedded GNU C Library: Shared lib ii libcomerr21.41.9-1 common error description library ii libk5crypto3 1.7+dfsg-4 MIT Kerberos runtime libraries - C ii libkeyutils1 1.2-12 Linux Key Management Utilities (li ii libkrb5support0 1.7+dfsg-4 MIT Kerberos runtime libraries - S libkrb5-3 recommends no packages. Versions of packages libkrb5-3 suggests: ii krb5-doc 1.7+dfsg-4 Documentation for MIT Kerberos ii krb5-user 1.7+dfsg-4 Basic programs to authenticate usi -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#564753: libkrb5-3: Update breaks aklog in openafs-krb5
Can I get you to try adding allow_weak_crypto = true to the libdefaults sections of /etc/krb5.conf? If that fixes your problem, then this is not a bug. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org