Replying to a rather old mail to note new developments...
On Fri, 5 Oct 2012, Benjamin Kaduk wrote:
On Fri, 5 Oct 2012, Booker Bense wrote:
On Fri, Oct 5, 2012 at 11:23 AM, Benjamin Kaduk <[email protected]> wrote:
You can limit your exposure by having the afs/cell@realm principal be the
only principal in the database with a single DES key. The
default_enctypes
do not need to include single-DES, and you can safely make both user
principals and krbtgt/realm have no weak keys, the weak crypto will only
be
used to obtain an afs service ticket (and the corresponding token).
Are you absolutely sure this is true? I have vague recollections that you
need single DES keys on the krbtgt key to get single DES tickets. But
it's late and I haven't had lunch yet so I may be misremembering.
I am not 100% sure, no. I am actually working on a document with a procedure
for upgrading away from single-DES, and will test it in practice during the
course of that work. (I will send a link when it is finished.) The main
The MIT krb5-1.11 release (announced yesterday) includes a document about
how to remove or mostly remove single-DES from the realm:
http://web.mit.edu/kerberos/krb5-1.11/doc/admin/advanced/retiring-des.html
There's also a document detailing the types of keys involved in a request
and how their enctypes are selected:
http://web.mit.edu/kerberos/krb5-1.11/doc/admin/enctypes.html
The second page also documents two new features relevant to this
discussion: a way to disable the formerly-implicit assumption that all
principals support des-cbc-crc, as well as a per-principal attribute to
control which enctypes are permissible for session keys in service tickets
for that principal. These features can be used to limit single-DES keys
to just the few legacy services such as AFS which require them.
-Ben Kaduk
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
