Re: [DSA 1571-1] Heimdal

To: Guido Günther <agx@sigxcpu.org>
Cc: Brian May <bam@snoopy.debian.net>, debian-devel@lists.debian.org
Subject: Re: [DSA 1571-1] Heimdal
From: Russ Allbery <rra@debian.org>
Date: Thu, 15 May 2008 07:53:21 -0700
Message-id: <[🔎] 87od77bov2.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20080515141758.GA23296@bogon.ms20.nix> ("Guido Günther"'s message of "Thu\, 15 May 2008 16\:17\:58 +0200")
References: <[🔎] 482BCB35.1050606@snoopy.debian.net> <[🔎] 20080515141758.GA23296@bogon.ms20.nix>

Guido Günther <agx@sigxcpu.org> writes:
> On Thu, May 15, 2008 at 03:33:41PM +1000, Brian May wrote:

>> Apparently, Heimdal in Debian also is affected. I am not aware of any
>> solution other then to manually regenerate all keys.

> Could you give some details here? Password based principals aren't
> affected?

Password-based principals are not affected.  No randomness is used in
generating those keys; the secure material is the password itself, which
is run through a hash algorithm.  Only randomly generated keys (generally
the keys you put into keytabs, but also randomized user principals if you
have any) are affected.

> For those using a keytabs "ktutil -k <keytab> change; ktutil -k purge
> --age=<short>" is sufficient?

That looks right to me, although take that with a grain of salt since I
use MIT personally and am not that familiar with the Heimdal ktutil
command syntax.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: [DSA 1571-1] Heimdal
  - From: Guido Günther <agx@sigxcpu.org>

References:
- [DSA 1571-1] Heimdal
  - From: Brian May <bam@snoopy.debian.net>
- Re: [DSA 1571-1] Heimdal
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: ssl security desaster
Next by Date: Re: db.debian.org/password.html : Why ~/.ssh/id_dsa.pub to setup OpenSSH for RSA
Previous by thread: Re: [DSA 1571-1] Heimdal
Next by thread: Re: [DSA 1571-1] Heimdal
Index(es):
- Date
- Thread