From: Russ Allbery Date: Wed, 24 Jul 2013 19:12:43 +0000 (-0700) Subject: Add NEWS entry for openafs-fileserver rekeying X-Git-Tag: debian/1.6.5-1~2 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=ec9a05675d2f414554c26cb4f3ecd0da8a2a1d17;p=packages%2Fo%2Fopenafs.git Add NEWS entry for openafs-fileserver rekeying --- diff --git a/debian/openafs-fileserver.NEWS b/debian/openafs-fileserver.NEWS index a6025b555..8f9ab6dda 100644 --- a/debian/openafs-fileserver.NEWS +++ b/debian/openafs-fileserver.NEWS @@ -1,3 +1,35 @@ +openafs (1.6.5-1) unstable; urgency=high + + The DES keys used by all previous versions of OpenAFS are not + sufficiently strong to be secure. As of this release, all OpenAFS + servers support using stronger long-term keys than DES. All sites are + strongly encouraged to rekey their AFS cells after deploying the new + version of the AFS server software on all AFS file server and AFS + database server machines. + + To do so, generate a new set of keys for the afs/ principal for + your site and store those keys in /etc/openafs/server/rxkad.keytab on + all file server and database server machines and then restart the server + processes to upgrade the strength of server-to-server connections. + After all existing AFS tokens have expired, you can then move the + KeyFile aside, which will invalidate all old, existing DES tokens. + + If you are using Heimdal as your Kerberos KDC, you need to ensure that + the afs/ key includes a des-cbc-crc enctype (to allow for session + keys), but you should remove all DES keys from the keytab before + deploying it as rxkad.keytab. + + These are only abbreviated instructions and don't include some relevant + details. If possible, please study and follow the more comprehensive + instructions available at: + + http://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt + http://www.openafs.org/pages/security/how-to-rekey.txt + + linked from . + + -- Russ Allbery Wed, 24 Jul 2013 12:08:46 -0700 + openafs (1.5.77-1) experimental; urgency=low This version of the OpenAFS file server includes a version built with