Sorry for the delay; I forgot this was in my 'drafts' folder, still.
On Mon, 8 Oct 2012, Booker Bense wrote:
On Mon, Oct 8, 2012 at 10:05 AM, Jim Green <[email protected]> wrote:
Thanks for the responses, this is very helpful. One question: are you
saying that if our existing user principals have both AES and DES encrypted
keys that it is possible to remove the DES keys without having to force all
our users to change their passwords (e.g. with kdb_util dump/load)? It
seems to me I've read conflicting opinions on that.
You can definitely remove the keys with a Heimdal kdc. It's one of the
kadmin commands.
It's not so clear to me how to do that with an MIT kdc.
I believe that MIT does not expose a way to alter the keylist of a given
kvno, that is, delete just one enctype.
Furthermore, the KDC configuration to disable certain enctypes is global,
so if you need to allow AFS to use single-DES keys, other services can as
well.
When MSU rolled out Kerberos 5 in 2005 we did force everyone to change their
passwords and my understanding is they all got triple-DES and AES keys in
addition to DES at that time and going forward.
Well, that's definitely step 1 in the process and probably the most
user visible source
of pain.
Yup, if all users have AES keys that's a big help.
With the KDC configuration constraints mentioned above, you need to remove
single-DES keys from service principals (that is, 'k5srvutil change' on
the keytab while the KDC is not generating single-DES keys by default) in
order to guarantee that single-DES is not used for them. Once they have
an AES key at all, it *should* get used most of the time, but to
explicitly prevent single-DES from being used, there needs to not be a
single-DES service principal key available to encrypt the ticket with.
-Ben Kaduk
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
