I updated our db and file servers and dropped in the new rxkad.keytab. Things appear to be working great! We updated all our linux machines and we are completely off single DES for those. Now onto Windows machines. Thanks for all the input!
On Tue, Jul 30, 2013 at 2:39 PM, John Sopko <[email protected]> wrote: > Where is the session key for the afs/cell@REALM service principal > derived from? If I remove the des-cbc-crc encryption type from both the > afs/cell@REALM and the user principals will things still work without > having to upgrade all clients to openafs 1.6.5? > > I would like to get rid of the single des key for the afs/cell@REALM > service principal as described in the security advisory. > > I am running Red Hat 6.4 and MIT kerberos 1.10.3 that comes with rhel6. > I have upgraded all my db and file servers to openafs 1.6.5 and things > are working nicely, ( thanks everyone involved). Here is my config > information. > > My /var/kerberos/krb5kdc/kdc.conf file has the following in it, this > is the default from Red Hat: > > supported_enctypes = aes256-cts:normal aes128-cts:normal > des3-hmac-sha1:normal arcfour-hmac:normal > des-hmac-sha1:normal des-cbc-md5:normal > des-cbc-crc:normal > > But when I create a user or a user changes their passwd they do not get > the "des-cbc-crc" encryption type, for example kadmin for a user shows: > > Principal: [email protected] > Number of keys: 6 > Key: vno 38, aes256-cts-hmac-sha1-96, no salt > Key: vno 38, aes128-cts-hmac-sha1-96, no salt > Key: vno 38, des3-cbc-sha1, no salt > Key: vno 38, arcfour-hmac, no salt > Key: vno 38, des-hmac-sha1, no salt > Key: vno 38, des-cbc-md5, no salt > > Notice there is no des-cbc-crc encryption type for a user principal, I > believe this > is done on purpose. Note I also I have the following set in the > /etc/krb5.conf file. > > [libdefaults] > allow_weak_crypto = true > > You can explicitly set des-cbc-crc in kadmin and of course I had to do that > for the afs principal: > > Principal: afs/[email protected] > Key: vno 10, des-cbc-crc, no salt > > Using MIT "klist -e" command to show the encryption types while logged > in shows: > > > Valid starting Expires Service principal > 07/30/13 14:16:12 07/31/13 14:16:12 krbtgt/[email protected] > renew until 07/31/13 14:16:12, Etype (skey, tkt): > des3-cbc-sha1, des3-cbc-sha1 > 07/30/13 14:16:12 07/31/13 14:16:12 afs/[email protected] > renew until 07/31/13 14:16:12, Etype (skey, tkt): des-cbc-crc, > des-cbc-crc > > > So currently the skey (session key) and tkt key for afs/cs.unc.edu > is des-cbc-crc. > > So if I re-key afs/cs.unc.edu service principal to NOT USE des-cbc-crc > my understanding is you still need a des-cbc-crc session key unless > you upgrade all clients which is not feasible at this time. Will I be > ok without a des-cbs-crc key for the user and the service principal? > Can I also remove the des-cbc-md5:normal des-hmac-sha1:normal assuming > no other service is using it, (my guess is yes)? Thanks for your input. > > -- > John W. Sopko Jr. University of North Carolina > email: sopko AT cs.unc.edu Computer Science Dept., CB 3175 > Phone: 919-590-6144 Fred Brooks Building; Room 140 > Chapel Hill, NC 27599-3175 -- John W. Sopko Jr. University of North Carolina email: sopko AT cs.unc.edu Computer Science Dept., CB 3175 Phone: 919-590-6144 Fred Brooks Building; Room 140 Chapel Hill, NC 27599-3175 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
