> How do I configure it so that heimdal respects the [password_quality]
> stanza?
Password changes by administrators bypass all password quality checks on
Heimdal without https://github.com/heimdal/heimdal/pull/320, which was
applied locally to Stanford's build of Heimdal.
-
ly overrides everything without having to
hunt down software-specific configuration files.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Russ Allbery writes:
> My mental model of how an implementation that uses SRV records works is
> that it does a SRV query to find the list of hosts and weights, and then,
> for each host in weight order, does a gethostinfo(3) call on that
> hostname.
Apologies, that of course was su
hat people can override their /etc/krb5.conf instead,
and now that I know about this I suspect I will be able to make my systems
do the right thing, but /etc/hosts is convenient because it overrides *all
software* (as opposed to making you go hunt down some specific config file
for each piece of soft
andard
nsswitch configuration. Now, perhaps my mental model is wrong for a given
implementation, but (a) the resulting behavior is very useful for testing
and something I've used for years, and (b) it's not an *unreasonable*
mental model, or particularly confusing.
--
Russ Allbery (ea...@
ss of a host in /etc/hosts, and I expect all software
to honor that.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
Nico Williams writes:
> We do need better key mgmt support though. It'd nice to have automatic
> rekeying and expunging of keys too old to be needed for decrypting
> extant live tickets.
Yes, please, or I will inflict my hideous shell script on you that does
this (using wall
se and use that to snoop on
traffic and forge sessions.
If the attacker has to invalidate the old key in order to download new
keys, the detection story is much better and the attacker is a bit more
limited in what they can immediately do.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
cation is primarily there to protect weak keys, such as any
keys derived from a password.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
ry about.
Note that you will need to manually copy the new master key to the slaves
before they'll be able to replicate. Also don't forget to keep the old
master key around for the length of your backup retention so that you
don't invalidate your backups.
--
Russ Allbe
module is known to not work properly with systemd user
sessions, and fixing that is going to be difficult (and may be beyond the
amount of time I can spend on it, given that I'm no longer using AFS and
am only using Kerberos very lightly these days).
--
Russ Allbery (ea...@eyrie.org
ill accept tickets
> for any principal in its keytab.
Yup, that was the fix.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
from Debian unstable and
testing with an upload today. I won't want to reintroduce this until
there is a stable and security-supported release of Heimdal packaged for
Debian.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
long overdue for an actual release that people can just build
and use without having to understand the development model or how to work
with a Git clone.
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
e.
That said, I may be excessively paranoid, since I did hack on the embedded
CrackLib until it ran clean under valgrind. That doesn't mean there are
no remaining bugs, but I may have already patched or worked around those
issues.
I'm hoping to find some time over the upcoming long US holi
"Henry B (Hank) Hotz, CISSP" writes:
> Ah! Then it’s a question for Russ Allbery or Alf Wachsmann. you need
> their email addresses?
I don't think SLAC was using krb5-strength. (Although maybe now would be
a good time to take a look at it? It was working with the versio
16 matches
Mail list logo