[krbdev.mit.edu #5821] REQ: in-registry keytab support
"Christopher D. Clausen" via RT
rt at krbdev.mit.edu
Thu Oct 18 19:00:42 EDT 2007
Ken Raeburn via RT <rt at krbdev.mit.edu> wrote:
> On Oct 18, 2007, at 17:16, Christopher D. Clausen via RT wrote:
>> Sam Hartman via RT <rt at krbdev.mit.edu> wrote:
> So now your anonymous user would be talking to the attacker's version
> of the AFS cell, with encryption.
Understood. No less secure than anonymous AFS access right now though,
except for maybe the user thinking they are secure.
> It may be safer from passive eavesdroppers who don't have the shared
> key, but conservatively, it shouldn't be considered any more secure
> than non-encrypted exchanges, unless you have good reason to believe
> the key can never be compromised.
Basically, one would use it purely for over the wire encryption.
>> (Say non-AD joined machines. Copying a registry file and
>> importing it may be simpler than setting up a file path, etc. A
>> single
>> registry key can contain all the needed configuration info.) The
>> fact that you are actually authenicating but still an anonymous user
>> allows for OpenAFS to enable encryption to the cell. The is a
>> FEATURE in this
>> case. (Well, it will hopefully soon be an OpenAFS feature.)
>
> A better solution, which unfortunately is still in design, might be
> the anonymous-ticket facility for Kerberos, http://www.ietf.org/
> internet-drafts/draft-ietf-krb-wg-anon-04.txt .
Yeah, well, sometimes one needs a solution that works now and not at
some undetermined point in the future.
-----
Regardless, even only using the single instance of a cluster of machines
serving HTTP the keytab in the registry is still a useful feature. And
allowing the service keytab to be in a registry key doesn't make it any
less secure than a file.
<<CDC
More information about the kfwdev
mailing list