FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 06-07-2011, 05:56 AM
Steve Langasek
 
Default Bug#629276: NFS needs same dispensation to use DES as AFS

On Tue, Jun 07, 2011 at 01:29:33PM +1000, Brian May wrote:
> What should I do with this bug?

> I did build a version for unstable, but I am not convinced this change
> is needed for unstable.

> I am doubtful it will get accepted in stable, because it isn't fixing
> a grave bug.

I would recommend asking the stable release manager. He might say yes.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
 
Old 06-07-2011, 07:10 AM
Sergio Gelato
 
Default Bug#629276: NFS needs same dispensation to use DES as AFS

* Brian May [2011-06-07 13:29:33 +1000]:
> Hello debian-devel,
>
> What should I do with this bug?
>
> I did build a version for unstable, but I am not convinced this change
> is needed for unstable.

Let me argue that it is still needed for the next Debian release. When
that comes out, squeeze will remain supported for another 12 months, and
any KDC serving an environment where Kerberized NFS is used on squeeze
hosts will need something like this. And that's even without considering
support for other distributions or operating systems, which may have
their own, possibly glacial paces for migrating to strong crypto.

The patch does not prevent the use of stronger enctypes, it just enables
the use of DES if requested (and if the service principal has a DES
enctype in the KDC database; one can always use del_enctype if need be).

> I am doubtful it will get accepted in stable, because it isn't fixing
> a grave bug.
>
> I am not sure it is appropriate for backports, because the change
> isn't in unstable.
>
> Thanks
>
> On 5 June 2011 19:25, Sergio Gelato <Sergio.Gelato@astro.su.se> wrote:
> > Package: heimdal-kdc
> > Version: 1.4.0~git20100726.dfsg.1-1
> > Tags: patch
> >
> > Recent Heimdal KDC disables DES encryption types on the (valid) grounds that
> > they are too weak. An exception is made where the service principal is "afs"
> > since the work to upgrade AFS to support stronger crypto is still very much
> > in progress.
> >
> > Unfortunately, Kerberized NFS has a similar problem. Support for stronger
> > enctypes didn't make it into the Linux kernel until 2.6.35 (post-squeeze).
> > Until all NFS servers and clients have been upgraded to support stronger
> > enctypes, a site will want to enable DES enctypes for "nfs" service
> > principals. Here is a patch that does just that; I've successfully tested
> > it. I think it would be highly desirable to have this in squeeze; more
> > so, in fact, than in later releases since the need for DES support with
> > NFS service principals ought to decrease with time.
> >
> > Without this patch, the KDC rejects AS requests that specify DES enctypes
> > with "krb5_crypto_init failed: encryption type (1|2|3) not supported"
> > (illustrating another oddity, namely that krb5_crypto_init() uses the
> > same error message whether the enctype is unknown or known but disabled;
> > krb5_enctype_valid() has two distinct error messages) and TGS requests
> > result in "Server (nfs/f.q.d.n) has no support for etypes" (also in the
> > KDC's log). The client did have [libdefaults]allow_weak_crypto=true, as
> > shown by the fact that the AS and TGS requests asked for a DES enctype.
> --
> Brian May <brian@microcomaustralia.com.au>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110607071057.GA6716@hanuman.astro.su.se">http://lists.debian.org/20110607071057.GA6716@hanuman.astro.su.se
 
Old 06-07-2011, 09:22 AM
 
Default Bug#629276: NFS needs same dispensation to use DES as AFS

On Jun 07, Brian May <brian@microcomaustralia.com.au> wrote:

> I am doubtful it will get accepted in stable, because it isn't fixing
> a grave bug.
Sure it does: it fixes a serious interoperability problem, i.e. "breaks
unrelated software".

--
ciao,
Marco
 
Old 06-07-2011, 10:15 AM
Philipp Kern
 
Default Bug#629276: NFS needs same dispensation to use DES as AFS

On 2011-06-07, Marco d'Itri <md@Linux.IT> wrote:
> On Jun 07, Brian May <brian@microcomaustralia.com.au> wrote:
>> I am doubtful it will get accepted in stable, because it isn't fixing
>> a grave bug.
> Sure it does: it fixes a serious interoperability problem, i.e. "breaks
> unrelated software".

Apart from debian-devel being the wrong venue, Kerberized NFS isn't exactly
unrelated to the KDC.

Kind regards
Phliipp Kern


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: slrniuruiv.nsr.trash@kelgar.0x539.de">http://lists.debian.org/slrniuruiv.nsr.trash@kelgar.0x539.de
 
Old 06-08-2011, 06:00 AM
Brian May
 
Default Bug#629276: NFS needs same dispensation to use DES as AFS

On 7 June 2011 15:56, Steve Langasek <vorlon@debian.org> wrote:
> I would recommend asking the stable release manager. *He might say yes.

What email address do I use?

(I always have problems finding the email addresses of the release
managers :-( )
--
Brian May <brian@microcomaustralia.com.au>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTiny-2kpWPur_fP7vS9EiWU10ufHJw@mail.gmail.com">http://lists.debian.org/BANLkTiny-2kpWPur_fP7vS9EiWU10ufHJw@mail.gmail.com
 
Old 06-08-2011, 07:09 AM
Lars Wirzenius
 
Default Bug#629276: NFS needs same dispensation to use DES as AFS

On Wed, Jun 08, 2011 at 04:00:15PM +1000, Brian May wrote:
> On 7 June 2011 15:56, Steve Langasek <vorlon@debian.org> wrote:
> > I would recommend asking the stable release manager. *He might say yes.
>
> What email address do I use?
>
> (I always have problems finding the email addresses of the release
> managers :-( )

Indeed: http://www.debian.org/intro/organization does not list
the stable release managers separately. Are they separate?

--
Freedom-based blog/wiki/web hosting: http://www.branchable.com/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110608070945.GB10628@havelock.liw.fi">http://lists.debian.org/20110608070945.GB10628@havelock.liw.fi
 
Old 06-08-2011, 07:27 AM
"Adam D. Barratt"
 
Default Bug#629276: NFS needs same dispensation to use DES as AFS

On Wed, 8 Jun 2011 08:09:45 +0100, Lars Wirzenius wrote:

On Wed, Jun 08, 2011 at 04:00:15PM +1000, Brian May wrote:

On 7 June 2011 15:56, Steve Langasek <vorlon@debian.org> wrote:
> I would recommend asking the stable release manager. *He might say
yes.


What email address do I use?

(I always have problems finding the email addresses of the release
managers :-( )


Indeed: http://www.debian.org/intro/organization does not list
the stable release managers separately. Are they separate?


In terms of contact, no, but then technically the "testing" release
managers aren't, either. </picky>


The contact address for any or all of the release team is
debian-release@lists.d.o (and always has been as long as that list has
existed, ttbomk).


Regards,

Adam


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 80105794622392b9294c5df9749657f6@adsl.funky-badger.org">http://lists.debian.org/80105794622392b9294c5df9749657f6@adsl.funky-badger.org
 

Thread Tools




All times are GMT. The time now is 01:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org