Re: DSA-1571 and GSSAPI

To: Juha Jäykkä <juhaj@iki.fi>
Cc: debian-security@lists.debian.org
Subject: Re: DSA-1571 and GSSAPI
From: Russ Allbery <rra@debian.org>
Date: Thu, 15 May 2008 08:08:07 -0700
Message-id: <[🔎] 878wybbo6g.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 87wslvbp0e.fsf@windlord.stanford.edu> (Russ Allbery's message of "Thu\, 15 May 2008 07\:50\:09 -0700")
References: <[🔎] 200805151615.40145.juhaj@iki.fi> <[🔎] 87wslvbp0e.fsf@windlord.stanford.edu>

Russ Allbery <rra@debian.org> writes:

> Keys based on user passwords should be fine.

However, I was just reminded that Kerberos password changes with Heimdal
similarly use OpenSSL to generate the session key, and therefore password
change sessions are subject to the same possible attack by brute-forcing
the random session key.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- DSA-1571 and GSSAPI
  - From: Juha Jäykkä <juhaj@iki.fi>
- Re: DSA-1571 and GSSAPI
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: DSA-1571 and GSSAPI
Next by Date: openssh: working exploit on bugtraq
Previous by thread: Re: DSA-1571 and GSSAPI
Next by thread: Re: DSA-1571 and GSSAPI
Index(es):
- Date
- Thread