[OpenAFS] krb_mk_req failure
Russ Allbery
rra@stanford.edu
Tue, 13 Jan 2004 11:25:21 -0800
Christopher Allen Wing <wingc@engin.umich.edu> writes:
> If you experienced this problem after upgrading to the latest Transarc
> AFS db servers, it's due to a change which disables Kerberos 4
> cross-realm authentication. (on account of the security vulnerability
> disclosed last year)
> Unfortunately, this also disables all Kerberos 4 principals with
> instances (i.e. imap.hostname).
[...]
> This will make those Kerberos 4 principals work again, but also open you
> up to the cross-realm authentication vulnerability. I think this is okay
> as long as you don't actually have cross-realm keys, but I'm not sure.
> Comments from anyone?
> In the long term, you should upgrade to Kerberos 5.
In the shorter term, you should just upgrade to OpenAFS, which doesn't
have this bug.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>