MIT krb5 for Samba4 (was: Re: Force NTLMv2 only on our server? (was: Re: krb5 vulnerability ?))
Andreas Schneider
asn at samba.org
Thu Dec 17 05:45:31 UTC 2015
On Thursday 17 December 2015 14:44:06 Andrew Bartlett wrote:
> Yes, I'm aware of that. However I'm not aware of the same kind of
> attacks on arcfour-hmac-md5, because while MD5 is weak, HMAC-MD5 is
> still considered strong, and the arcfour use involves (like schannel) a
> confounder, that avoids the biggest weakness of RC4, because the first
> encrypted bytes are of random data.
>
> I continue to look forward to the MIT merge - we don't have a choice in
> any case: Heimdal is essentially dead (read the recent inability to
> release thread on heimdal-discuss), and we need to un-hitch from that
> wagon now. It makes me very sad, but I don't have the resources (eg
> become the Heimdal maintainer) to change those facts on the ground.
>
> We still need to sort out some logistical matters (like how we would
> get patches, like the ones metze often does into our fork upstream into
> MIT)
You open a pull request on github and after some ping pong it gets merged.
That's how I implemented support GSS_KRB5_CRED_NO_CI_FLAGS_X and got it
upstream. I've started to implement krb5_get_init_creds_opt_set_pac_request().
> , and how we keep the test coverage from my insane
> 'decode/inspect/reencode the packet' tests, but as I said at SambaXP,
> the question is how, not if, we do this.
Looking at the tests I don't see why we should test return codes of the KDC. I
would say that's the responsibility of MIT Kerberos to make sure it behaves
correctly.
So tests for this should be upstream ...
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list