From 812e6a546d5a7f8169fd3aa1809c087b12142780 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Wed, 24 Jul 2013 12:12:43 -0700 Subject: [PATCH] Add NEWS entry for openafs-fileserver rekeying Conflicts: debian/openafs-fileserver.NEWS --- debian/changelog | 2 +- debian/openafs-fileserver.NEWS | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index ac626dc90..5aa26cbc0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -openafs (1.4.12.1+dfsg-4+squeeze2) UNRELEASED; urgency=high +openafs (1.4.12.1+dfsg-4+squeeze2) squeeze-security; urgency=high * Apply upstream security patches: - OPENAFS-SA-2013-003: New support for non-DES enctypes in the diff --git a/debian/openafs-fileserver.NEWS b/debian/openafs-fileserver.NEWS index f55236617..0657a5b0d 100644 --- a/debian/openafs-fileserver.NEWS +++ b/debian/openafs-fileserver.NEWS @@ -1,3 +1,35 @@ +openafs (1.4.12.1+dfsg-4+squeeze2) squeeze-security; urgency=high + + The DES keys used by all previous versions of OpenAFS are not + sufficiently strong to be secure. As of this release, all OpenAFS + servers support using stronger long-term keys than DES. All sites are + strongly encouraged to rekey their AFS cells after deploying the new + version of the AFS server software on all AFS file server and AFS + database server machines. + + To do so, generate a new set of keys for the afs/ principal for + your site and store those keys in /etc/openafs/server/rxkad.keytab on + all file server and database server machines and then restart the server + processes to upgrade the strength of server-to-server connections. + After all existing AFS tokens have expired, you can then move the + KeyFile aside, which will invalidate all old, existing DES tokens. + + If you are using Heimdal as your Kerberos KDC, you need to ensure that + the afs/ key includes a des-cbc-crc enctype (to allow for session + keys), but you should remove all DES keys from the keytab before + deploying it as rxkad.keytab. + + These are only abbreviated instructions and don't include some relevant + details. If possible, please study and follow the more comprehensive + instructions available at: + + http://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt + http://www.openafs.org/pages/security/how-to-rekey.txt + + linked from . + + -- Russ Allbery Wed, 24 Jul 2013 12:08:46 -0700 + openafs (1.4.4.dfsg1-4) unstable; urgency=low The files previously located in /etc/openafs/server-local have been -- 2.39.5