| blob | 936c5f86dabe5a8b62635643189b022f265cb81a |
1 openafs (1.8.0~pre4-1) unstable; urgency=low
3 * Servers no longer use rxkad.keytab for long-term keys, which are
4 now stored in KeyFileExt. Administrators must use akeyconvert
5 or similar tooling to populate the KeyFileExt. In most cases,
6 `akeyconvert` with no arguments will suffice.
7 * Server log handling has changed. Logs are not truncated at
8 startup by default, and are re-opened on SIGUSR1, to be compatible
9 with external log rotation tools.
11 -- Benjamin Kaduk <kaduk@mit.edu> Tue, 13 Dec 2016 01:49:46 -0500
13 openafs (1.6.5-1) unstable; urgency=high
15 The DES keys used by all previous versions of OpenAFS are not
16 sufficiently strong to be secure. As of this release, all OpenAFS
17 servers support using stronger long-term keys than DES. All sites are
18 strongly encouraged to rekey their AFS cells after deploying the new
19 version of the AFS server software on all AFS file server and AFS
20 database server machines.
22 To do so, generate a new set of keys for the afs/<cell> principal for
23 your site and store those keys in /etc/openafs/server/rxkad.keytab on
24 all file server and database server machines and then restart the server
25 processes to upgrade the strength of server-to-server connections.
26 After all existing AFS tokens have expired, you can then move the
27 KeyFile aside, which will invalidate all old, existing DES tokens.
29 If you are using Heimdal as your Kerberos KDC, you need to ensure that
30 the afs/<cell> key includes a des-cbc-crc enctype (to allow for session
31 keys), but you should remove all DES keys from the keytab before
32 deploying it as rxkad.keytab.
34 These are only abbreviated instructions and don't include some relevant
35 details. If possible, please study and follow the more comprehensive
36 instructions available at:
38 http://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt
39 http://www.openafs.org/pages/security/how-to-rekey.txt
41 linked from <http://www.openafs.org/security/>.
43 -- Russ Allbery <rra@debian.org> Wed, 24 Jul 2013 12:08:46 -0700
45 openafs (1.5.77-1) experimental; urgency=low
47 This version of the OpenAFS file server includes a version built with
48 demand-attach, but as binaries with a different name.
50 Demand-attach completely changes how the file server shuts down and
51 starts up. Instead of detaching all volumes on shutdown and reattaching
52 them on startup, the file server saves state to disk and restores state
53 when starting, enabling it to start far faster. Volumes are only
54 attached when used and are detached again if they go unused for an
55 extended period. Volumes can also be salvaged on demand.
57 Demand-attach is recommended for new deployments and for evaluation in
58 current production deployments, but requires a change to your bos
59 configuration to use. If you want to switch your file server to
60 demand-attach, run:
62 bos status localhost -instance fs -long
64 and take note of the flags that you're using with the fileserver and
65 volserver. Then, run:
67 bos stop localhost fs -localauth
68 bos delete localhost fs -localauth
69 bos create localhost dafs dafs \
70 "/usr/lib/openafs/dafileserver <fileserver-flags>" \
71 "/usr/lib/openafs/davolserver <volserver-flags>" \
72 /usr/lib/openafs/salvageserver /usr/lib/openafs/dasalvager
74 to create the correct new BosConfig entry for demand-attach AFS.
76 If you were running an earlier version of the experimental
77 openafs-filserver package, the way that demand-attach was handled has
78 changed and you have to change your bos configuration to use the new
79 demand-attach binary names. Run:
81 bos stop localhost dafs -localauth
82 bos delete localhost dafs -localauth
84 and then run the bos create command above. This only applies to users
85 of the previous experimental packages, not to upgrades from unstable.
87 -- Russ Allbery <rra@debian.org> Tue, 21 Sep 2010 14:08:04 -0700
89 openafs (1.5.73.3-1) experimental; urgency=low
91 As of this release, the default permissions for /etc/openafs/server are
92 now 0755, matching upstream. The only file in that directory that needs
93 to be kept secure is KeyFile, which is created with 0600 permissions.
94 The directory permissions won't be changed on upgrade, so bosserver will
95 complain now that it is no longer patched to permit restrictive
96 permissions. Once you're certain the per-file permissions of all files
97 in that directory are safe, chmod 755 /etc/openafs/server to make
98 bosserver happy.
100 -- Russ Allbery <rra@debian.org> Tue, 06 Apr 2010 14:51:52 -0700
102 openafs (1.4.4.dfsg1-4) unstable; urgency=low
104 The files previously located in /etc/openafs/server-local have been
105 moved to /var/lib/openafs/local. The OpenAFS fileserver and bosserver
106 write files to this directory on startup which are not configuration
107 files and therefore, per the File Hierarchy Standard, should not be in
108 /etc. Any sysid, sysid.old, NetInfo, and NetRestrict files in
109 /etc/openafs/server-local have been copied to /var/lib/openafs/local.
111 upserver and upclient have moved to /usr/lib/openafs (from /usr/sbin) to
112 match the other programs intended to be run by the bosserver and to
113 match upstream's layout. If you're running upserver or upclient from
114 bosserver, BosConfig has been updated with the new path, but the
115 services have not been restarted.
117 At your convenience, you should restart your servers with:
119 bos restart -all -bosserver
121 so that the running servers will look at the new locations. After doing
122 so, you may remove /etc/openafs/server-local if you wish.
124 -- Russ Allbery <rra@debian.org> Tue, 19 Jun 2007 03:51:58 -0700