hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-2617) Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
Date Wed, 18 Jul 2012 22:17:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13417750#comment-13417750
] 

Aaron T. Myers commented on HDFS-2617:
--------------------------------------

The trouble with KSSL is not in KSSL itself, it's because of a JDK bug that Joey mentioned:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6946669

This bug unfortunately requires that the Kerberos authentication part of the KSSL connection
use DES encryption for the Kerberos tickets. Pretty much everyone agrees that DES is unacceptably
weak, which is also why MIT KRB5 has been phasing out support for it.

bq. Also, why can't we simply change/remove the hardcoded cipher?

The cipher you're referring to isn't the issue, and in fact is hard-coded to 3DES, whose strength
I don't think folks here are concerned about. That cipher is used to encrypt the traffic via
SSL after the Kerberos handshake has completed.

If you enable Java SSL/KRB5 debug output when performing an NN checkpoint, you'll see that
DES is used for the Kerberos handshake, and thereafter 3DES for the SSL encryption.
                
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
>                 Key: HDFS-2617
>                 URL: https://issues.apache.org/jira/browse/HDFS-2617
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>             Fix For: 2.1.0-alpha
>
>         Attachments: HDFS-2617-a.patch, HDFS-2617-b.patch, HDFS-2617-branch-1.patch,
HDFS-2617-config.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch,
HDFS-2617-trunk.patch, hdfs-2617-1.1.patch
>
>
> The current approach to secure and authenticate nn web services is based on Kerberized
SSL and was developed when a SPNEGO solution wasn't available. Now that we have one, we can
get rid of the non-standard KSSL and use SPNEGO throughout.  This will simplify setup and
configuration.  Also, Kerberized SSL is a non-standard approach with its own quirks and dark
corners (HDFS-2386).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message