Re: [cas-user] CAS + Spengo at AES 256

[Philippe MARASSE]

Hmmm, does the default enc_type defined in /etc/krb5.conf includes AES ?

I got a look on our kerberized squid it shows in its krb5.conf :

[libdefaults]
...
 default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc
 default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc
 permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc

I think you should have the same enctypes you'll find in your keytab.

Rgds.

Le 16/04/2013 14:47, Mathew Anderson a écrit :

Thank you for the info.  Double checking the keytab, I do have the aes256 one 
listed:

  8    1      HTTP/host@domain (aes256-cts-hmac-sha1-96)




AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is hostHTTPdomain
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=ip UDP:x, timeout=30000, number of retries =3, 
#bytes=243
>>> KDCCommunication: kdc=ip UDP:x, timeout=30000,Attempt =1, #bytes=243
>>> KrbKdcReq send: #bytes read=683
>>> KrbKdcReq send: #bytes read=683
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/host
Found key for HTTP/host@domain(23)
Found key for HTTP/host@domain(1)
Found key for HTTP/host@domain(16)
Found key for HTTP/host@domain(3)
Found key for HTTP/host@domain(18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Checksum failed !

        at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
        at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
        at jcifs.spnego.Authentication.process(Authentication.java:235)



Thanks again for the suggestions!

I did noticed that with Oracle's java, i needed to download the cryptography extension. I also tried with OpenJDK (1.6.0_24 in this case) and received a similar error - It starts to use aes256 - but cas uses arcfour and the checksum fails. jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandler.java:70) On Tue, Apr 16, 2013 at 3:37 AM, Philippe MARASSE <philippe.mara...@ch-poitiers.fr <mailto:philippe.mara...@ch-poitiers.fr>> wrote:

    Hello,

    According to this exception : *KrbException: Specified version of key is not
    available (44)*, it seems that your keytab does not include the key with the
    expected cipher. You can check it with ktutil :

    $ ktutil
    ktutil: rkt /etc/tomcat/cas/http.keytab
    ktutil: l -e
    slot KVNO Principal
    ---- ---- 
---------------------------------------------------------------------
       1    2   HTTP/myserver@MYDOMAIN (aes256-cts-hmac-sha1-96)
       2    2   HTTP/myserver@MYDOMAIN (arcfour-hmac)
       3    2   HTTP/myserver@MYDOMAIN (des3-cbc-sha1)
       4    2   HTTP/myserver@MYDOMAIN (des-cbc-crc)

    The first time I tried to use SPNEGO against MIT kerberos, I ran into 
another
    exception related to  AES 256 : *KrbException: Encryption type AES256 CTS 
mode with
    HMAC SHA1-96 is not supported/enabled* This is a java related issue, not 
CAS related
    : I had to download a Java Cryptography Extension with unlimited strength 
in order
    to use keys larger than 128 bits.

    Rgds.

    Le 15/04/2013 17:10, Mathew Anderson a écrit :

    Marvin - Thanks for the response and guidance.

    I have submitted the improvement.  The JIRA number is CAS-1295
    <https://issues.jasig.org/browse/CAS-1295>.

    https://issues.jasig.org/browse/CAS-1295




    On Mon, Apr 15, 2013 at 7:39 AM, Marvin S. Addison <marvin.addi...@gmail.com
    <mailto:marvin.addi...@gmail.com>> wrote:

            The default tkt and tgs enctypes need to be set to rc4-hmac.  
Windows
            Server 2008 supports encryption up to 256 aes however, not all 
Kerberos
            clients do, *including the CAS server Kerberos client.  The 
encryption
            is forced down to rc4-hmac for compatibility with CAS*.


        Not very familiar with that part of the codebase, but as I understand 
your
        observation, CAS only support the RC4 cipher and you would like support 
for
        other ciphers, including AES-256. Is that correct? If yes, please file 
a Jira
        improvement issue for it and post the link to the issue here to close 
the loop.

        Thanks,
        M


        <mailto:cas-user@lists.jasig.org> as: anderson.mat...@gmail.com
        <mailto:anderson.mat...@gmail.com>
        To unsubscribe, change settings or access archives, see
        http://www.ja-sig.org/wiki/display/JSG/cas-user

-- You are currently subscribed to cas-user@lists.jasig.org -- You are currently subscribed tocas-u...@lists.jasig.org <mailto:cas-user@lists.jasig.org> as:philippe.mara...@ch-poitiers.fr <mailto:philippe.mara...@ch-poitiers.fr>

    To unsubscribe, change settings or access archives, see
    http://www.ja-sig.org/wiki/display/JSG/cas-user

    Service Informatique - Centre Hospitalier Henri Laborit
    CS 10587 - 370 avenue Jacques Coeur
    86021 Poitiers Cedex
    Tel : 05.49.44.57.19

-- Philippe MARASSE

--
Philippe MARASSE

Service Informatique - Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19

smime.p7s
Description: Signature cryptographique S/MIME