On Sun, Mar 21, 2021 at 08:06:46PM -0400, James Ralston wrote:
> On Sun, Mar 21, 2021 at 4:24 PM Spike White wrote:
>
> > If we limit our KRB5 encryption algorithms to only strong cyphers
> > (AES128 and AES256), would that thwart the above SSSD attack?
>
> No.
>
> The fundamental issue is
On Sun, Mar 21, 2021 at 4:24 PM Spike White wrote:
> If we limit our KRB5 encryption algorithms to only strong cyphers
> (AES128 and AES256), would that thwart the above SSSD attack?
No.
The fundamental issue is this: if an attacker has compromised a Linux
host, then the attacker has access to
Pawel,
Thank you for the detailed explanation. I know for the "Kerb-roasting"
hacking technique, if you avoid the weak KRB5 ciphers (3des-cbc,
arcfour-hmac), that thwarts this attack.
If we limit our KRB5 encryption algorithms to only strong cyphers (AES128
and AES256), would that thwart the
Hi Spike,
The KCM module mentioned in article was introduced in SSSD 1.15.3 [1]
Latest RHEL7 version is 7.9 with SSSD 1.16.5
Latest RHEL8 version is 8.3.0 with SSSD 2.3.0
Last RHEL7 version without KCM module implemented in SSSD was RHEL 7.3 with
SSSD 1.14
RHEL8 uses KCM by default, where RHEL7
