Message-ID: <75704771D4A847138BB106A0ED095055@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: <rt@krbdev.mit.edu>
References: <rt-5821-25577.8.14794244770361@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #5821] REQ: in-registry keytab support
Date: Thu, 18 Oct 2007 17:57:28 -0500
RT-Send-Cc: 
Content-Length: 1704

Ken Raeburn via RT <rt@krbdev.mit.edu> wrote:
> On Oct 18, 2007, at 17:16, Christopher D. Clausen via RT wrote:
>> Sam Hartman via RT <rt@krbdev.mit.edu> wrote:
> So now your anonymous user would be talking to the attacker's version
> of the AFS cell, with encryption.

Understood.  No less secure than anonymous AFS access right now though, 
except for maybe the user thinking they are secure.

> It may be safer from passive eavesdroppers who don't have the shared
> key, but conservatively, it shouldn't be considered any more secure
> than non-encrypted exchanges, unless you have good reason to believe
> the key can never be compromised.

Basically, one would use it purely for over the wire encryption.

>>   (Say non-AD joined machines.  Copying a registry file and
>> importing it may be simpler than setting up a file path, etc.  A
>> single
>> registry key can contain all the needed configuration info.)  The
>> fact that you are actually authenicating but still an anonymous user
>> allows for OpenAFS to enable encryption to the cell.  The is a
>> FEATURE in this
>> case.  (Well, it will hopefully soon be an OpenAFS feature.)
>
> A better solution, which unfortunately is still in design, might be
> the anonymous-ticket facility for Kerberos, http://www.ietf.org/
> internet-drafts/draft-ietf-krb-wg-anon-04.txt .

Yeah, well, sometimes one needs a solution that works now and not at 
some undetermined point in the future.

-----

Regardless, even only using the single instance of a cluster of machines 
serving HTTP the keytab in the registry is still a useful feature.  And 
allowing the service keytab to be in a registry key doesn't make it any 
less secure than a file.

<<CDC