Kodiak, I'm actually in the midst of this now. Our company is running a 'deprecated protocols' project, where they're trying to eliminate rc4 encryption, SNMPv1, v2c and a few other weak protocols I won't mention here.
For AD, that eventually means change the LDAP attribute msDS-SupportedEncryptionTypes of the computer accounts to a value of 24 (i.e., AES256 and AES120 only). See: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797 for values of this LDAP attribute msDS-SupportedEncryptionTypes. Also, you have to ensure that any AD cross-domain trusts are not using rc4. (That bit us). For Linux servers, that means modifying the /etc/ssh/sshd_config file, the /etc/krb5.conf and maybe the /etc/krb5.conf.d/* files. In RHEL8/9, the sshd ciphers are managed by the system-wide crypto-policies. See man page for 'update-crypto-polciies'. The details of how the ciphers are managed between RHEL8 and 9 differ in the back-end, but you probably don't care about that level of detail. In RHEL 6/7, you edit the /etc/ssh/sshd_config file and edit the 'Ciphers' line. For sssd and kerberos, again in RHEL8/9 it is managed by the system-wide crypto policies. Which sets up an /etc/krb5.conf.d/crypto-policies file (a symlink). It has 'permitted_enctypes'. For RHEL 6/7, as you state -- you set permitted_enctypes in /etc/krb5.conf or /etc/krb5.conf.d/*. These encryptions are tried in the order listed, so you put your strongest encryptions first (AES256). If you have an existing /etc/krb5.conf file with default_tkt_enctypes or default_tgs_enctypes, those settings are used preferentially over permitted_enctypes. I'm not aware that sssd.conf file specifies encryption types directly. At least in our company's sssd.conf files, it does not. Spike White On Wed, Mar 29, 2023 at 7:19 AM Kodiak Firesmith <firesm...@protonmail.com> wrote: > Hi Folks, > > I'm nominally aware that the ability for adcli joins to honor custom > enctypes became a thing around 2018, but I'm having a heck of a time > finding guidance online for setting permitted enctypes so that keytabs > don't create keys for DES and RC4. > > Our environment uses a mixture of SSSD 2.2.3, and 2.6.3, joining to MS > Active Directory, which my Windows admins have said run MS Server 2019 with > Active Directory 2016. > > I've been digging around on search engines and picking through various > krb5 docs, and I think SSSD will refer to krb5.conf, and might be reading > supported_enctypes > or permitted_enctypes, but I'm not sure how to put it all together. > > Thanks very much! > - Kodiak Firesmith > > Sent with Proton Mail <https://proton.me/> secure email. > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue