Custom Query (196 matches)

Now that OpenAFS is fixed, none of our servers should need allow_weak_crypto. We should disable it everywhere.

We may need to contact users that use kinit on scripts, which at the time of this writing, is likely to be approximated by

[andersk@whole-enchilada]:~$ ls /tmp/krb5cc_* -l
-rw------- 1 freeculture freeculture 1145 Jul 24 03:17 /tmp/krb5cc_536886288
-rw------- 1 pony        pony         735 Jul 26 18:02 /tmp/krb5cc_536890340
-rw------- 1 afarrell    afarrell     697 Jul 20 18:56 /tmp/krb5cc_537865110
-rw------- 1 gdb         gdb          695 Jul 26 00:00 /tmp/krb5cc_537883327
-rw------- 1 joeyhkim    joeyhkim    1595 Jul 14 00:00 /tmp/krb5cc_538023618
-rw------- 1 ezyang      ezyang      1127 Jul 26 17:59 /tmp/krb5cc_ezyang_extra

scripts-pony/scripts/templates/master.mak has a very inefficient Konami code detection easter egg that appends all keystrokes to a JavaScript? array. It should be rewritten to use the obvious 11-state Knuth–Morris–Pratt FSM.

This now also affects XVM, who copied this code.

This is complicated by the requirement to keep SSLSessionTicketKeyFile out of persistent storage, rotate it frequently, and synchronize it across servers. It would also be nice to remember the last N old keys so that each rotation doesn’t force every user to establish a new SSL session. We’ll probably need to do some Apache development.

​https://www.imperialviolet.org/2013/06/27/botchingpfs.html ​https://blog.twitter.com/2013/forward-secrecy-at-twitter-0