Moritz Muehlenhoff wrote: > Here's the update on krb5 for Debian Lenny, based on a mail from Russ > Allbery: (The status of Etch has changed; it isn't affected at all). > > * MIT Kerberos itself does not generate long-term key pairs even when the > PKINIT plugin is used, so any vulnerable long-term key pairs would have > been generated outside of the MIT Kerberos software itself. The PKINIT > plugin only references existing key pairs and isn't responsible for key > management. > > * All of the random session key generation inside the PKINIT plugin is > done using the regular MIT Kerberos random key functions, *not* the > OpenSSL random number generator, and hence sessions created via PKINIT > are not subject to this vulnerability. > > MIT Kerberos itself is not in affected. However, long-term key pairs used > with PKINIT may be affected if generated on an affected Debian system, but > such generation is external to MIT Kerberos. Ok, added, I hope this makes more sense for kerberos users than it does for me. Sounds like if you're using PKINIT, and (manually?) generated a long-term key pair on a vulnerable system, the key pair should be referenerated? -- see shy jo
Attachment:
signature.asc
Description: Digital signature