jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-18 23:10:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

death-to-obsolete-readmes-20060801

Browse Source 
Remove README.SECURITY given that we've already removed all the code that
it was talking about.  Remove references to README.OBSOLETE, since it's
now gone.
This commit is contained in:
Russ Allbery 2006-08-01 23:30:03 +00:00
parent 80e88d6a80
commit 1732c5cb5a
2 changed files with 0 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README
View File

@ -64,11 +64,6 @@ A. Creating the proper directory structure.
headers for your configured kernel can be found. See the
system-specific Notes sections below for details.
Be prepared to provide the switches --enable-obsolete and
--enable-insecure if you require the use of any bundled but obsolete
or insecure software included with OpenAFS. See README.OBSOLETE and
README.SECURITY for more details.
There are two modes for directory path handling: "Transarc mode" and "default mode":
- In Transarc mode, we retain compatibility with Transarc/IBM AFS tools
by putting client configuaration files in /usr/vice/etc, and server

25
README.SECURITY
View File

@ -1,25 +0,0 @@
The inetd, rcp, rlogind and rsh directories contain AFS authentication (token)
passing support for their respective utilities. We are not removing these
utilities as some sites may still be using them, but we *strongly discourage*
their use. These utilities don't encrypt user traffic, and they also don't
encrypt the AFS tokens. This means an attacker can capture the data and recover
a valid authentication token, and use it to perform authenticated operations.
Consider foregoing the rcmds altogether and using ssh. You can get Dug Song's
ssh patch to support AFS here:
http://www.monkey.org/~dugsong/ssh-afs/
but you'll also need to install Kerberos 4 for libraries (which isn't a bad
idea anyhow). The KTH implementation includes the AFS helper library libkafs,
and so is desirable:
ftp://ftp.pdc.kth.se/pub/krb/src/
As a side effect, the insecure, but AFS aware ftpd included in AFS can be
replaced by the ftpd included in the above-mentioned Kerberos package, as it
has RFC2228 security extensions.
In any case, carefully consider the security implications before deploying
these utilities.
To enable building of the insecure code included with OpenAFS, run
configure with the --enable-insecure switch.