On Mon, Sep 01, 2008 at 06:17:57PM -0700, Russ Allbery wrote:
> Steve Langasek <[EMAIL PROTECTED]> writes:
> > On Mon, Sep 01, 2008 at 02:50:29PM +0200, Wouter Verhelst wrote:
>
> >> By setting the "GSSAPICleanupCredentials" option in sshd_config, the
> >> credentials cache is destroyed upon logou
]] Peter Palfrader
| - install sendfile/saft on all machines so you can do
| sendfile foo.tar.gz [EMAIL PROTECTED]
|
| Unfortunately sendfile doesn't use crypto, so who knows what happens
| to the stuff you send. And it's yet another network facing server - I
| don't know if anybody e
Steve Langasek <[EMAIL PROTECTED]> writes:
> On Mon, Sep 01, 2008 at 02:50:29PM +0200, Wouter Verhelst wrote:
>> By setting the "GSSAPICleanupCredentials" option in sshd_config, the
>> credentials cache is destroyed upon logout (this can also be done
>> through the session component of libpam_krb5
Le Mon, Sep 01, 2008 at 02:50:29PM +0200, Wouter Verhelst a écrit :
>
> This education could be done in two steps: first, create a policy and
> link to it from debian-devel-announce; second, make this required
> reading for the NM procedure (similar to the 'DMUP' and 'SC/DFSG'
> questions that NMs
On Mon, Sep 01, 2008 at 02:50:29PM +0200, Wouter Verhelst wrote:
> By setting the "GSSAPICleanupCredentials" option in sshd_config, the
> credentials cache is destroyed upon logout (this can also be done
> through the session component of libpam_krb5.so).
... but pam_krb5.so shouldn't be used for
On Sun, Aug 31, 2008 at 11:19:45AM +0200, Peter Palfrader wrote:
> On Sat, 30 Aug 2008, Steve Langasek wrote:
> > Well, the underlying premise here is, of course, that certain routinely
> > useful capabilities need to be taken out of the hands of the users because
> > they won't use them responsibl
Mike Hommey <[EMAIL PROTECTED]> writes:
> I would say as Russ. Plus the fact that apparently, it currently doesn't
> work (see bug #496933).
I'm not sure what's wrong in that bug, but Kerberos authentication in
Iceweasel (3.0.1-1) is working fine for me. I'd notice immediately if it
stopped work
Martin Zobel-Helas <[EMAIL PROTECTED]> writes:
> Most Debian Machines run no stable kernels, thus we would run into that
> problem. Also many machines running with static kernels. Would that be a
> problem for OpenAFS?
OpenAFS is fine with static kernels as long as dynamic modules are not
disable
On Sun, Aug 31, 2008 at 11:19:45AM +0200, Peter Palfrader wrote:
>On Sat, 30 Aug 2008, Steve Langasek wrote:
>
>> Having your inter-host file transfers sandboxed, such that you have to log
>> in to the host on each end in order to get the files copied to the place you
>> want them, would be a serio
On Sat Aug 30 16:43, Steve Langasek wrote:
> This is obviously an *incredibly* bad idea for anyone to do if they actually
> care about the security of the Debian systems. But we're already talking
> about hard policy changes to stop users from doing things they shouldn't do
> in the first place (=
On Sat, Aug 30, 2008 at 06:19:32PM -0700, Russ Allbery wrote:
> Well, having your browser spontaneously authenticate you to any system
> keyed in your local realm or in a realm with which you have cross-realm
> trust is something of a leak of personal information.
This may change in the future. Th
On Sat, Aug 30, 2008 at 10:54:59PM -0700, Steve Langasek wrote:
> On Sun, Aug 31, 2008 at 01:16:32AM +0200, Bastian Blank wrote:
> > Negotiate auth does not provide confidentiality or integrity protection
> > different to the normal use of kerberos.
> Well, ok, but you're negotiating *authenticatio
On Sat, 30 Aug 2008, Steve Langasek wrote:
> Well, the underlying premise here is, of course, that certain routinely
> useful capabilities need to be taken out of the hands of the users because
> they won't use them responsibly[1].
> But we're alrea
On Sat, Aug 30, 2008 at 03:01:00PM -0700, Steve Langasek wrote:
> On Sat, Aug 30, 2008 at 06:48:57PM +0200, Wouter Verhelst wrote:
> > > + once we have a krb realm we could maybe also use it for other
> > > stuff like all those web services that require logins. How
> > >
Hi,
On Sat Aug 30, 2008 at 18:17:27 -0700, Russ Allbery wrote:
> A bigger problem at the kernel level is that the kernel APIs change
> constantly and have not infrequently had various GPL-only tags added that
> force OpenAFS into annoying workarounds (it is released under the IBM
> Public License
On Sun, Aug 31, 2008 at 01:16:32AM +0200, Bastian Blank wrote:
> On Sat, Aug 30, 2008 at 06:48:57PM +0200, Wouter Verhelst wrote:
> > (for some infathomable reason, the firefox developers consider Negotiate
> > authentication to be unsafe with untrusted and/or non-SSL hosts. Dunno
> > why that is,
Wouter Verhelst <[EMAIL PROTECTED]> writes:
> (for some infathomable reason, the firefox developers consider Negotiate
> authentication to be unsafe with untrusted and/or non-SSL hosts. Dunno
> why that is, and never saw a compelling argument...)
Well, having your browser spontaneously authentica
Bastian Blank <[EMAIL PROTECTED]> writes:
> On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote:
>> - AFS suffers from the not-a-filesystem syndrome: file access
>> control is not unix-like and will confuse users.
>
> Also other parts are not really POSIX-like. Hardli
On Sat, Aug 30, 2008 at 05:46:16PM +0200, Peter Palfrader wrote:
> > > What other options did we forget?
> > - Setup Kerberos, allow it as an additional ssh login variant
> Circumvents the entire idea behind this exercise: Assuming an attacker
> already has control over one host we want to make
On Sat, Aug 30, 2008 at 06:48:57PM +0200, Wouter Verhelst wrote:
> (for some infathomable reason, the firefox developers consider Negotiate
> authentication to be unsafe with untrusted and/or non-SSL hosts. Dunno
> why that is, and never saw a compelling argument...)
Negotiate auth does not provid
On Sat, Aug 30, 2008 at 06:48:57PM +0200, Wouter Verhelst wrote:
> > + once we have a krb realm we could maybe also use it for other
> > stuff like all those web services that require logins. How
> > good is krb support in browsers these days?
> Pretty good. Konqueror
* Peter Palfrader:
> What other options did we forget?
Modern NFS over IPsec to a central file server. However, less than
stellar bandwidth at the Debian servers requires really, really modern
NFS with persistent caching.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubs
On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote:
> - setup afs
>
> Using AFS would allow us to use a shared /afs/debian.org tree on all
> our systems. AFS does all the magic crypto stuff so you don't have to
> worry about Eve sniffing or Mallory tampering with packets.
>
>
On Sat, 30 Aug 2008, Bastian Blank wrote:
> > Or you use only resolvers that you have a trusted (i.e. ipsec)
> > connection to and those need to have a complete axfr'ed zone.
>
> Then we can drop the whole ud-ldap thing and use centralized
> authentication.
Um. I don't see why that follows. I
On Sat, Aug 30, 2008 at 05:46:16PM +0200, Peter Palfrader wrote:
> On Sat, 30 Aug 2008, Bastian Blank wrote:
> > On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote:
> > > The crypto stuff could be alleviated by using ipsec between all our
> > > servers. But that works even less we
[Trimming lists]
On Sat, 30 Aug 2008, Bastian Blank wrote:
> On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote:
> > - install sendfile/saft on all machines so you can do
> > sendfile foo.tar.gz [EMAIL PROTECTED]
> >
> > The crypto stuff could be alleviated by using ipsec betw
On Sat, Aug 30, 2008 at 03:16:01PM +0200, Bastian Blank wrote:
On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote:
+ once we have a krb realm we could maybe also use it for other
stuff like all those web services that require logins. How
good is krb supp
On Sat, Aug 30, 2008 at 02:32:08PM +0200, Peter Palfrader wrote:
> - install sendfile/saft on all machines so you can do
> sendfile foo.tar.gz [EMAIL PROTECTED]
>
> The crypto stuff could be alleviated by using ipsec between all our
> servers. But that works even less well than you'd expe
28 matches
Mail list logo
