Commit | Line | Data |
---|---|---|
b7cfede0 BK |
1 | openafs (1.8.0~pre4-1) unstable; urgency=low |
2 | ||
3 | * Servers no longer use rxkad.keytab for long-term keys, which are | |
4 | now stored in KeyFileExt. Administrators must use akeyconvert | |
5 | or similar tooling to populate the KeyFileExt. In most cases, | |
6 | `akeyconvert` with no arguments will suffice, and krb5 keys | |
7 | can still be managed (and periodically updated) in the rxkad.keytab. | |
8 | `akeyconvert` is run automatically in the post-install script. | |
9 | * Server log handling has changed. Logs are not truncated at | |
10 | startup by default, and are re-opened on SIGUSR1, to be compatible | |
11 | with external log rotation tools. | |
12 | ||
13 | -- Benjamin Kaduk <kaduk@mit.edu> Tue, 13 Dec 2016 01:49:46 -0500 | |
14 | ||
15 | openafs (1.6.5-1) unstable; urgency=high | |
16 | ||
17 | The DES keys used by all previous versions of OpenAFS are not | |
18 | sufficiently strong to be secure. As of this release, all OpenAFS | |
19 | servers support using stronger long-term keys than DES. All sites are | |
20 | strongly encouraged to rekey their AFS cells after deploying the new | |
21 | version of the AFS server software on all AFS file server and AFS | |
22 | database server machines. | |
23 | ||
24 | To do so, generate a new set of keys for the afs/<cell> principal for | |
25 | your site and store those keys in /etc/openafs/server/rxkad.keytab on | |
26 | all file server and database server machines and then restart the server | |
27 | processes to upgrade the strength of server-to-server connections. | |
28 | After all existing AFS tokens have expired, you can then move the | |
29 | KeyFile aside, which will invalidate all old, existing DES tokens. | |
30 | ||
31 | If you are using Heimdal as your Kerberos KDC, you need to ensure that | |
32 | the afs/<cell> key includes a des-cbc-crc enctype (to allow for session | |
33 | keys), but you should remove all DES keys from the keytab before | |
34 | deploying it as rxkad.keytab. | |
35 | ||
36 | These are only abbreviated instructions and don't include some relevant | |
37 | details. If possible, please study and follow the more comprehensive | |
38 | instructions available at: | |
39 | ||
40 | http://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt | |
41 | http://www.openafs.org/pages/security/how-to-rekey.txt | |
42 | ||
43 | linked from <http://www.openafs.org/security/>. | |
44 | ||
45 | -- Russ Allbery <rra@debian.org> Wed, 24 Jul 2013 12:08:46 -0700 | |
46 | ||
47 | openafs (1.5.77-1) experimental; urgency=low | |
48 | ||
49 | This version of the OpenAFS file server includes a version built with | |
50 | demand-attach, but as binaries with a different name. | |
51 | ||
52 | Demand-attach completely changes how the file server shuts down and | |
53 | starts up. Instead of detaching all volumes on shutdown and reattaching | |
54 | them on startup, the file server saves state to disk and restores state | |
55 | when starting, enabling it to start far faster. Volumes are only | |
56 | attached when used and are detached again if they go unused for an | |
57 | extended period. Volumes can also be salvaged on demand. | |
58 | ||
59 | Demand-attach is recommended for new deployments and for evaluation in | |
60 | current production deployments, but requires a change to your bos | |
61 | configuration to use. If you want to switch your file server to | |
62 | demand-attach, run: | |
63 | ||
64 | bos status localhost -instance fs -long | |
65 | ||
66 | and take note of the flags that you're using with the fileserver and | |
67 | volserver. Then, run: | |
68 | ||
69 | bos stop localhost fs -localauth | |
70 | bos delete localhost fs -localauth | |
71 | bos create localhost dafs dafs \ | |
72 | "/usr/lib/openafs/dafileserver <fileserver-flags>" \ | |
73 | "/usr/lib/openafs/davolserver <volserver-flags>" \ | |
74 | /usr/lib/openafs/salvageserver /usr/lib/openafs/dasalvager | |
75 | ||
76 | to create the correct new BosConfig entry for demand-attach AFS. | |
77 | ||
78 | If you were running an earlier version of the experimental | |
79 | openafs-filserver package, the way that demand-attach was handled has | |
80 | changed and you have to change your bos configuration to use the new | |
81 | demand-attach binary names. Run: | |
82 | ||
83 | bos stop localhost dafs -localauth | |
84 | bos delete localhost dafs -localauth | |
85 | ||
86 | and then run the bos create command above. This only applies to users | |
87 | of the previous experimental packages, not to upgrades from unstable. | |
88 | ||
89 | -- Russ Allbery <rra@debian.org> Tue, 21 Sep 2010 14:08:04 -0700 | |
90 | ||
91 | openafs (1.5.73.3-1) experimental; urgency=low | |
92 | ||
93 | As of this release, the default permissions for /etc/openafs/server are | |
94 | now 0755, matching upstream. The only file in that directory that needs | |
95 | to be kept secure is KeyFile, which is created with 0600 permissions. | |
96 | The directory permissions won't be changed on upgrade, so bosserver will | |
97 | complain now that it is no longer patched to permit restrictive | |
98 | permissions. Once you're certain the per-file permissions of all files | |
99 | in that directory are safe, chmod 755 /etc/openafs/server to make | |
100 | bosserver happy. | |
101 | ||
102 | -- Russ Allbery <rra@debian.org> Tue, 06 Apr 2010 14:51:52 -0700 | |
103 | ||
104 | openafs (1.4.4.dfsg1-4) unstable; urgency=low | |
105 | ||
106 | The files previously located in /etc/openafs/server-local have been | |
107 | moved to /var/lib/openafs/local. The OpenAFS fileserver and bosserver | |
108 | write files to this directory on startup which are not configuration | |
109 | files and therefore, per the File Hierarchy Standard, should not be in | |
110 | /etc. Any sysid, sysid.old, NetInfo, and NetRestrict files in | |
111 | /etc/openafs/server-local have been copied to /var/lib/openafs/local. | |
112 | ||
113 | upserver and upclient have moved to /usr/lib/openafs (from /usr/sbin) to | |
114 | match the other programs intended to be run by the bosserver and to | |
115 | match upstream's layout. If you're running upserver or upclient from | |
116 | bosserver, BosConfig has been updated with the new path, but the | |
117 | services have not been restarted. | |
118 | ||
119 | At your convenience, you should restart your servers with: | |
120 | ||
121 | bos restart -all -bosserver | |
122 | ||
123 | so that the running servers will look at the new locations. After doing | |
124 | so, you may remove /etc/openafs/server-local if you wish. | |
125 | ||
126 | -- Russ Allbery <rra@debian.org> Tue, 19 Jun 2007 03:51:58 -0700 | |
127 |