Re: Where does the Latest Version Work?

2016-08-12 Thread Russ Allbery
Heimdal is long overdue for an actual release that people can just build and use without having to understand the development model or how to work with a Git clone. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>

Re: /var/heimdal/kpasswdd.history no longer updating after a heimdal upgrade

2016-06-30 Thread Russ Allbery
ch up on some open source stuff. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>

Re: which pam-afs to use

2017-01-30 Thread Russ Allbery
dn't work. Note that the module is known to not work properly with systemd user sessions, and fixing that is going to be difficult (and may be beyond the amount of time I can spend on it, given that I'm no longer using AFS and am only using Kerberos very lightly these days). -- Russ Allbery

Re: Preparing for the Heimdal 7 Release

2016-10-19 Thread Russ Allbery
removed the Heimdal PAM module from Debian unstable and testing with an upload today. I won't want to reintroduce this until there is a stable and security-supported release of Heimdal packaged for Debian. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>

Re: Kerberos authentication to load-balanced services in AWS and reverse DNS

2017-01-06 Thread Russ Allbery
ccept tickets > for any principal in its keytab. Yup, that was the fix. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>

Re: Re-encrypt on change of master key

2017-03-14 Thread Russ Allbery
that I would worry about. Note that you will need to manually copy the new master key to the slaves before they'll be able to replicate. Also don't forget to keep the old master key around for the length of your backup retention so that you don't invalidate your backups. -- Russ

Re: How to disable DNS lookups?

2017-07-25 Thread Russ Allbery
emporarily override the IP address of a host in /etc/hosts, and I expect all software to honor that. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>

Re: How to disable DNS lookups?

2017-07-25 Thread Russ Allbery
krb5.conf instead, and now that I know about this I suspect I will be able to make my systems do the right thing, but /etc/hosts is convenient because it overrides *all software* (as opposed to making you go hunt down some specific config file for each piece of software). I think not honoring it woul

Re: How to disable DNS lookups?

2017-07-25 Thread Russ Allbery
Russ Allbery <ea...@eyrie.org> writes: > My mental model of how an implementation that uses SRV records works is > that it does a SRV query to find the list of hosts and weights, and then, > for each host in weight order, does a gethostinfo(3) call on that > hostname. Apologi

Re: How to disable DNS lookups?

2017-07-26 Thread Russ Allbery
rrides everything without having to hunt down software-specific configuration files. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>

Re: How to disable DNS lookups?

2017-07-25 Thread Russ Allbery
d nsswitch configuration. Now, perhaps my mental model is wrong for a given implementation, but (a) the resulting behavior is very useful for testing and something I've used for years, and (b) it's not an *unreasonable* mental model, or particularly confusing. -- Russ Allbery (ea...@eyrie.org)

Re: Does pre-authentication help against "insider" attacks?

2017-05-26 Thread Russ Allbery
Pre-authentication is primarily there to protect weak keys, such as any keys derived from a password. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Russ Allbery
oes this (using wallet). -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>

Re: Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

2017-06-27 Thread Russ Allbery
use that to snoop on traffic and forge sessions. If the attacker has to invalidate the old key in order to download new keys, the detection story is much better and the attacker is a bit more limited in what they can immediately do. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>