Security upgrades to OpenAFS
OpenAFS’s inability to use any encryption type other than single DES in the Kerberos tickets used to authenticate server-server and client-server communications has long been recognised as a major security shortcoming. 1DES’s relatively small key space renders it highly susceptible to a brute force attack and the wide availability of cheap distributed computing power, along with refinements of the algorithms used in such attacks made the compromise of an AFS cell a definite possibility. To address this, the developers of OpenAFS have produced updated versions of the AFS server and client which are able to make use of encryption types other than 1DES.
The immediate security risk was with server-server communication and to address this, the School’s file servers have already been upgraded to the new secure version of AFS and the key used for server-server communication recreated to use stronger encryption types. Though this has closed the immediate security hole, it is obviously highly desirable to start using stronger encryption types for client-server communication. We intend doing this on Monday the 2nd of September 2013.
Any AFS clients which have not been upgraded to use the new version of OpenAFS by this date WILL NOT be able to access the School’s AFS filesystem. This includes things like home directories and group space.
DICE machines will be upgraded automatically before this deadline and if your only access to the file system is via a DICE machine, you need do nothing. If however, you access the file system from a self-managed machine, you MUST upgrade the OpenAFS client on your machine or you will lose access. Upgrading the client should simply be a case of reinstalling AFS following the instructions found at
http://computing.help.inf.ed.ac.uk/informatics-filesystem. The version of the client you will need depends on the operating system you are using as follows:
For other Operating Systems or if you need help with the upgrade, please contact support.
The original security advisory can be found here. If you have any questions about any of this, please ask.
Craig.
cms@inf.ed.ac.uk
Does this remove the need for the “allow_weak_crypto” config change described in [1]?
[1] http://computing.help.inf.ed.ac.uk/afs-windows
Assuming that you’re not using 1DES for anything else, yes.
Thanks for the update. I think the instructions above may be a waste of time for Debian/Ubuntu users(?), and probably other systems with friendly central package management.
> reinstalling AFS following the instructions found at http://computing.help.inf.ed.ac.uk/informatics-filesystem
It seems that the standard security update procedure for Debian and Ubuntu automatically installed a new version for this issue some time ago. There doesn’t seem to be a need to go read the bug report, or do anything(?).